Skip to content

T1486 Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.5267

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.1 In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.6

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.26 Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as “print bombing”).4

In cloud environments, storage objects within compromised accounts may also be encrypted.3

Item Value
ID T1486
Sub-techniques
Tactics TA0040
Platforms IaaS, Linux, Windows, macOS
Version 1.4
Created 15 March 2019
Last Modified 16 June 2022

Procedure Examples

ID Name Description
G0082 APT38 APT38 has used Hermes ransomware to encrypt files with AES256.91
G0096 APT41 APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.96
S0640 Avaddon Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.38
S1053 AvosLocker AvosLocker has encrypted files and network resources using AES-256 and added an .avos, .avos2, or .AvosLinux extension to filenames.71727370
S0638 Babuk Babuk can use ChaCha8 and ECDH to encrypt data.46474837
S0606 Bad Rabbit Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.88
S0570 BitPaymer BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending .locked to the filename.43
S1070 Black Basta Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.675961636466626560
S1068 BlackCat BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.52
C0015 C0015 During C0015, the threat actors used Conti ransomware to encrypt a compromised network.82
C0018 C0018 During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.7397
S0611 Clop Clop can encrypt files using AES, RSA, and RC4 and will add the “.clop” extension to encrypted files.565758
S0575 Conti Conti can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.831815182
S0625 Cuba Cuba has the ability to encrypt system data and add the “.cuba” extension to encrypted files.35
S1033 DCSrv DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.34
S0616 DEATHRANSOM DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.11
S0659 Diavol Diavol has encrypted files using an RSA key though the CryptEncrypt API and has appended filenames with “.lock64”. 49
S0554 Egregor Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.433
S0605 EKANS EKANS uses standard encryption library functions to encrypt files.7778
G0046 FIN7 FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.93
S0618 FIVEHANDS FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.111213
S0617 HELLOKITTY HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.11
G0119 Indrik Spider Indrik Spider has encrypted domain-controlled systems using BitPaymer.43
S0389 JCry JCry has encrypted files and demanded Bitcoin to decrypt those files. 69
S0607 KillDisk KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.15
S0372 LockerGoga LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.202122
G0059 Magic Hound Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. 9495
S0449 Maze Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.80
S0576 MegaCortex MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.4445
S0457 Netwalker Netwalker can encrypt files on infected machines to extort victims.68
S0368 NotPetya NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.18619
S0556 Pay2Key Pay2Key can encrypt data on victim’s machines using RSA and AES algorithms in order to extort a ransom payment for decryption.5354
S1058 Prestige Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.55
S0654 ProLock ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.36
S0583 Pysa Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.76
S0481 Ragnar Locker Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.7475
S0496 REvil REvil can encrypt files on victim systems and demands a ransom to decrypt the files.2526272829303132
S0400 RobbinHood RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.16
S1073 Royal Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.848586
S0446 Ryuk Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.5051
S0370 SamSam SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.17
G0034 Sandworm Team Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.55
S0639 Seth-Locker Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth.37
S0140 Shamoon Shamoon has an operational mode for encrypting data instead of overwriting it.8990
S0242 SynAck SynAck encrypts the victims machine followed by asking the victim to pay a ransom. 42
G0092 TA505 TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.92
S0595 ThiefQuest ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.14
S0366 WannaCry WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.23224
S0612 WastedLocker WastedLocker can encrypt data and leave a ransom note.394041
S0341 Xbash Xbash has maliciously encrypted victim’s database systems and demanded a cryptocurrency ransom be paid.87
S0658 XCSSET XCSSET performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and
~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes
less than 500MB are encrypted.79

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. 8
M1053 Data Backup Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.9 Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.10

Detection

ID Data Source Data Component
DS0010 Cloud Storage Cloud Storage Modification
DS0017 Command Command Execution
DS0022 File File Creation
DS0033 Network Share Network Share Access
DS0009 Process Process Creation

References

  1. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  2. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  3. Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021. 

  4. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. 

  5. US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019. 

  6. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. 

  7. US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019. 

  8. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  9. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019. 

  10. Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021. 

  11. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  12. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  13. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  14. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  15. Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021. 

  16. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. 

  17. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  18. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  19. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  20. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. 

  21. Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. 

  22. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. 

  23. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. 

  24. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. 

  25. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  26. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  27. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  28. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020. 

  29. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  30. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  31. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  32. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. 

  33. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  34. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  35. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  36. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  37. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. 

  38. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  39. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  40. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  41. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021. 

  42. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. 

  43. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  44. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  45. ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021. 

  46. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  47. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  48. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. 

  49. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  50. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  51. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  52. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  53. ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020. 

  54. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. 

  55. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  56. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  57. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  58. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  59. Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023. 

  60. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  61. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. 

  62. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. 

  63. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  64. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023. 

  65. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. 

  66. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  67. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  68. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  69. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  70. FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023. 

  71. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  72. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. 

  73. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  74. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  75. Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020. 

  76. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  77. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. 

  78. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. 

  79. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  80. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. 

  81. Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021. 

  82. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  83. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  84. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  85. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. 

  86. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. 

  87. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  88. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. 

  89. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  90. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  91. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  92. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  93. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  94. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  95. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  96. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.