Data Destruction
May 1, 2024 ยท View on GitHub
| ID | E1485 |
| Objective(s) | Impact |
| Related ATT&CK Techniques | Data Destruction (T1485) |
| Impact Type | Availability |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 30 April 2024 |
Data Destruction
Malware may deliberately delete or otherwise render inaccessible data on a compromised system. This is often done to disrupt the victim's operations, cover the attacker's tracks, or exert pressure on the victim.
See ATT&CK: Data Destruction (T1485).
Methods
| Name | ID | Description |
|---|---|---|
| Delete Application/Software | E1485.m03 | An application or software is deleted. |
| Delete Shadow Copies | E1485.m04 | Deletes shadow drive data, which is related to ransomware. |
| Empty Recycle Bin | E1485.m02 | Empties the recycle bin, which can be related to ransomware. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Shamoon | 2012 | -- | A 2018 variant includes a component that erases files and then wipes the Master Boot Record (MBR), preventing file recovery. [1] |
| Rombertik | 2015 | -- | If a specific anti-analysis check fails, the malware will overwrite the Master Boot Record or the user's home folder. [2] |
| BlackEnergy | 2007 | -- | BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents. [3] |
| Conficker | 2008 | -- | Conficker resets system restore points and deletes backup files. [4] |
| MazarBot | 2016 | -- | MazarBot can erase phone data. [5] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| delete volume shadow copies | Data Destruction::Delete Shadow Copies (E1485.m04) | -- |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| clears_logs | Data Destruction (E1485) | -- |
| ransomware_recyclebin | Data Destruction (E1485) | -- |
| uses_windows_utilities_cipher | Data Destruction (E1485) | -- |
| anomalous_deletefile | Data Destruction (E1485) | NtDeleteFile, DeleteFileW, DeleteFileA |
References
[1] https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509
[2] https://blogs.cisco.com/security/talos/rombertik
[3] https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
[4] https://en.wikipedia.org/wiki/Conficker
[5] https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/
[6] https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow