Home/ATT&CK Technique/Data Encrypted for Impact
ATT&CK Technique

Data Encrypted for Impact

T1486 · impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.

Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors. To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").

In cloud environments, storage objects within compromised accounts may also be encrypted. For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.

ESXiIaaSLinuxmacOSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
unknown_likely_russia_alignedAnubis Ransomware
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38
chinaAPT41
russiaAwfulShred
russia_speaking_cybercrime8Base

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
persistence earlier
T1136.002 · Domain Account ×2.59T1037.003 · Network Logon Script ×2.59
privilege-escalation earlier
T1484.001 · Group Policy Modification ×2.59
impact same
T1529 · System Shutdown/Reboot ×2.59T1488 · Disk Content Wipe ×2.59T1489 · Service Stop ×2.54T1490 · Inhibit System Recovery ×2.52T1561.002 · Disk Structure Wipe ×2.46T1561 · Disk Wipe ×2.40T1561.001 · Disk Content Wipe ×2.39T1491.001 · Internal Defacement ×2.39T1495 · Firmware Corruption ×2.39T1491 · Defacement ×2.37
other same
T1027.007 · Dynamic API Resolution ×2.59T1562.009 · Safe Mode Boot ×2.40

Atomic Tests

10
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinuxEncrypt files using gpg (FreeBSD/Linux)
Uses gpg to encrypt a file 
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
shlinuxEncrypt files using 7z (FreeBSD/Linux)
Uses 7z to encrypt a file 
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}
shlinuxEncrypt files using ccrypt (FreeBSD/Linux)
Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. 
which_ccencrypt=`which ccencrypt`
cp #{root_input_file_path} #{cped_file_path};
$which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path}
shlinuxEncrypt files using openssl (FreeBSD/Linux)
Uses openssl to encrypt a file 
which_openssl=`which openssl`
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
command_promptelevatedwindowsPureLocker Ransom Note
building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ 
echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
shmacosEncrypt files using 7z utility - macOS
This test encrypts the file(s) using the 7z utility 
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}
shmacosEncrypt files using openssl utility - macOS
This test encrypts the file(s) using the openssl utility 
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}
powershellwindowsData Encrypted with GPG4Win
Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions.
Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text"  # Create the test.txt file again in case prereqs failed
cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`""
command_promptelevatedwindowsData Encrypt Using DiskCryptor
DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation. 
""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"
powershellelevatedwindowsAkira Ransomware drop Files with .akira Extension and Ransomnote
Dropping 100 files with random content and .akira File Extension and the Akira Ransomnote to c:\ 
1..100 | ForEach-Object { $out = new-object byte[] 1073741; (new-object Random).NextBytes($out); [IO.File]::WriteAllBytes("c:\test.$_.akira", $out) }
echo "Hi friends" >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "Whatever who you are and what your title is if you' re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption  Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment. you have to know: " >> $env:Userprofile\Desktop\akira_readme.txt
echo "1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal" >> $env:Userprofile\Desktop\akira_readme.txt
echo "2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. [f you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them — in this case we won't be able to help.  " >> $env:Userprofile\Desktop\akira_readme.txt
echo "3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we' ve managed to detect and used in order to get into. identify backup solutions and upload your data." >> $env:Userprofile\Desktop\akira_readme.txt
echo "4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes — generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones." >> $env:Userprofile\Desktop\akira_readme.txt
echo "Then all of this will be published in our blog -" >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us" >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt
echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt
echo "" >> $env:Userprofile\Desktop\akira_readme.txt
echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior
  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access
  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls
  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.
Exploit Prevention
  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
M1053Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents.

Regular Backup Scheduling
  • Use Case: Ensure timely and consistent backups of critical data.
  • Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups
  • Use Case: Protect backups from modification or deletion, even by attackers.
  • Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption
  • Use Case: Protect data integrity and confidentiality during transit and storage.
  • Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage
  • Use Case: Ensure data availability during physical disasters or onsite breaches.
  • Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing
  • Use Case: Validate backup integrity and ensure recoverability.
  • Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 10
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) 279
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-03, AC-06, CM-02, CP-02, CP-06, CP-07, CP-09, CP-10, SI-03, SI-04, SI-07
D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin