T1471 Data Encrypted for Impact
An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
| Item | Value |
|---|---|
| ID | T1471 |
| Sub-techniques | |
| Tactics | TA0034 |
| Platforms | Android |
| Version | 3.2 |
| Created | 25 October 2017 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis | Anubis can use its ransomware module to encrypt device data and hold it for ransom.3 |
| S1062 | S.O.V.A. | S.O.V.A. has code to encrypt device data with AES.2 |
| S0298 | Xbot | Xbot can encrypt the victim’s files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
References
-
Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016. ↩
-
Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩