The BrainCipher ransomware group has claimed responsibility for a coordinated wave of attacks that simultaneously crippled a Canadian regional telecom provider and a Sri Lankan energy and engineering firm, knocking out residential connectivity in British Columbia and disrupting solar energy and building management operations in South Asia. The dual incidents, reported through public threat monitoring channels, signal a deliberate escalation in BrainCipher's targeting of essential service providers across continents.
What Happened
In British Columbia, Canada, Squamish.net, a regional internet and telecom provider, suffered a ransomware intrusion that degraded service availability for both residential and business subscribers. Internal systems were partially shut down, producing intermittent outages that cascaded into communication failures for small businesses and local digital services.
Almost simultaneously, Synex International Pvt Ltd in Sri Lanka reported severe operational interruptions across its MEP (Mechanical, Electrical, Plumbing), ELV (Extra-Low Voltage), and solar energy divisions. Operational dashboards and control interfaces were rendered inaccessible, forcing engineering teams to fall back on manual overrides for active building management and renewable energy installations.
The near-simultaneous timing, shared tooling, and consistent extortion posture have led analysts to assess the two intrusions as a coordinated campaign rather than independent compromises.
What Was Taken
BrainCipher's standard operating model combines file encryption with data exfiltration for double-extortion leverage. At Squamish.net, exposure likely includes subscriber records, billing data, network configuration files, and internal administrative credentials tied to ISP back-office systems. At Synex International, the threat actor would have access to engineering project documentation, client building schematics, ELV and solar control system configurations, and operational telemetry feeds. Exact volumes have not been publicly confirmed, but BrainCipher victims have historically appeared on the group's leak site within days of compromise.
Why It Matters
The attacks underscore a continuing shift from opportunistic ransomware toward targeted disruption of operational technology and critical service providers. A telecom outage in a regional Canadian market degrades emergency coordination, payment processing, and remote work. A compromise of a building management and renewable energy integrator in Sri Lanka jeopardizes physical safety systems, energy distribution, and the integrity of OT environments that often lack mature detection capabilities. Defenders should treat this campaign as evidence that BrainCipher is willing to coordinate across geographies to maximize societal pressure and ransom leverage.
The Attack Technique
Public reporting has not yet confirmed the initial access vector for either intrusion. BrainCipher campaigns observed across 2024 and 2025 have typically leveraged exposed remote services, exploitation of unpatched edge appliances, phishing for valid credentials, and abuse of compromised RMM tools. Post-access tradecraft has included Active Directory enumeration, lateral movement via SMB and RDP, disabling of endpoint protection, exfiltration over cloud storage providers, and deployment of a Babuk-derived encryptor across Windows and ESXi hosts.
What Organizations Should Do
- Patch and harden internet-facing infrastructure, with priority on VPN concentrators, firewalls, RMM platforms, and any ESXi management interfaces exposed to the public internet.
- Enforce phishing-resistant multi-factor authentication on all remote access, privileged accounts, and SaaS administrative consoles.
- Segment IT from OT environments and restrict east-west traffic to control system VLANs, with explicit allowlists for engineering workstations.
- Maintain immutable, offline backups of operational configurations, billing systems, and engineering project data, and rehearse restoration under degraded-network conditions.
- Deploy EDR with tamper protection and monitor for known BrainCipher and Babuk-lineage indicators, including suspicious vssadmin, wmic, and PsExec activity.
- Establish an incident response retainer and pre-approved out-of-band communication channels so a telecom or control system outage does not delay coordination.