Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Data Encrypted for Impact

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[3]

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2][3]

ID: T1486
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Data Sources: File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Impact Type: Availability
Version: 1.0
Created: 15 March 2019
Last Modified: 14 October 2020

Procedure Examples

Name Description
APT38

APT38 has used Hermes ransomware to encrypt files with AES256.[5]
APT41

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[6]
JCry

JCry has encrypted files and demanded Bitcoin to decrypt those files. [7]
LockerGoga

LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.[8][9][10]
Maze

Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[11]
Netwalker

Netwalker can encrypt files on infected machines to extort victims.[12]

NotPetya

NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[13][3]
Ragnar Locker

Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.[14][15]
REvil

REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[16][17][18][19][20][21][22]
RobbinHood

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[23]

Ryuk

Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[24]
SamSam

SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[25]
Shamoon

Shamoon has an operational mode for encrypting data instead of overwriting it.[26][27]
SynAck

SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [28]
TA505

TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[29]
WannaCry

WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[30][2][31]
Xbash

Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[32]

Mitigations

Mitigation Description
Data Backup

Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.[33] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Detection

Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.

In some cases, monitoring for unusual kernel driver installation activity can aid in detection.

References

  1. US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.
  2. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  3. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  4. US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.
  5. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  6. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  7. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  8. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
  9. Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  10. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  11. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  12. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  13. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  14. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  15. Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.
  16. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  17. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  1. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  2. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
  3. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  4. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  5. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  6. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  7. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  8. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  9. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  10. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  11. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  12. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  13. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  14. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  15. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  16. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.