The BrainCipher ransomware group has claimed responsibility for a near-simultaneous double strike against critical infrastructure on opposite sides of the world, hitting Canadian regional ISP Squamish.net in British Columbia and Sri Lankan engineering and energy firm Synex International Pvt Ltd. The coordinated activity, reported by UNDERCODE NEWS, disrupted residential and business connectivity in Canada while degrading energy and building management operations in Sri Lanka, raising fresh concerns about ransomware crews targeting operational technology environments across multiple geographies in tightly windowed campaigns.
What Happened
In British Columbia, Squamish.net, a regional telecom and internet service provider, experienced internal system infiltration that forced service degradation and partial shutdowns. Residential subscribers and business customers reported intermittent outages affecting voice, data, and dependent digital services. Almost simultaneously, Synex International Pvt Ltd in Sri Lanka reported severe operational interruption across its Mechanical, Electrical, and Plumbing (MEP) services, Extra-Low Voltage (ELV) systems, and solar energy operations. Engineers were reportedly pushed to manual overrides in some environments after access to operational dashboards and control interfaces was restricted. The temporal proximity between the two intrusions, combined with shared attribution to BrainCipher, suggests a coordinated campaign rather than opportunistic, unrelated events.
What Was Taken
Public disclosures so far focus on operational disruption rather than confirmed data theft volumes, but BrainCipher's established playbook includes data exfiltration alongside encryption. At Squamish.net, exposure risk centers on subscriber records, billing data, network configuration files, and any administrative credentials cached on internal systems. At Synex International, the more sensitive material is likely engineering documentation, MEP and ELV system schematics, building automation configurations, solar plant telemetry, and client project files for downstream infrastructure operators. If exfiltration is confirmed on either side, victims served by these providers, including residential customers and building operators, inherit the downstream exposure.
Why It Matters
This incident illustrates a maturing ransomware pattern: simultaneous strikes against geographically distant but functionally adjacent targets in connectivity and energy. Hitting a regional ISP and an engineering and energy services firm in the same window maximizes societal pressure and complicates incident response coordination, since defenders in each jurisdiction operate in isolation while the threat actor benefits from the combined leverage. It also reinforces that mid-sized regional providers, not just national telecoms or utilities, are squarely in scope for capable ransomware crews. For defenders, the takeaway is that "small enough to be ignored" is no longer a viable threat model when an attacker can chain multiple mid-tier victims into a single coordinated campaign.
The Attack Technique
Initial access vectors have not been publicly confirmed for either intrusion. BrainCipher's prior operations have leaned on exposed remote access services, unpatched edge appliances such as VPN concentrators and firewalls, phishing for valid credentials, and exploitation of internet-facing management interfaces. The group typically follows initial access with credential harvesting, lateral movement to domain controllers and hypervisors, staged data exfiltration, and broad encryption of file servers, virtualization hosts, and backup repositories. In environments like Synex International where operational technology sits adjacent to IT, weak segmentation between corporate networks and OT or building management systems is a likely pivot path worth investigating.
What Organizations Should Do
- Audit all internet-exposed remote access, VPN, and management interfaces, and confirm that vendor patches for known-exploited vulnerabilities have been applied.
- Enforce phishing-resistant multi-factor authentication on all administrative, remote access, and email accounts, and disable legacy authentication protocols.
- Verify network segmentation between corporate IT and operational technology, building management, and ICS environments, and validate that flat-network shortcuts have not been reintroduced.
- Confirm that backups are immutable or offline, test restoration end-to-end, and ensure backup infrastructure credentials are isolated from production domain accounts.
- Hunt for BrainCipher-aligned indicators including unusual outbound transfers to cloud storage, suspicious use of remote management tools, and unauthorized scheduled tasks or service installations.
- Pre-stage an incident response retainer, legal counsel, and regulator notification workflows so that a ransomware event does not become a coordination crisis on day one.