Data Encrypted for Impact

May 1, 2024 ยท View on GitHub

ID E1486
Objective(s) Impact
Related ATT&CK Techniques Data Encrypted for Impact (T1486), Data Encrypted for Impact (Mobile) (T1471)
Impact Type Availability
Version 2.3
Created 1 August 2019
Last Modified 30 April 2024

Data Encrypted for Impact

Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.

See ATT&CK: Data Encrypted for Impact (T1486) and Data Encrypted for Impact (Mobile) (T1471)

Methods

NameIDDescription
Ransom NoteE1486.001Ransomware displays a ransom note. Ransom notes are sometimes used to link instances of ransomware, even when the code or anti-analysis techniques change.

Use in Malware

NameDateMethodDescription
CryptoWall2014E1486.001The malware launches Internet Explorer to show ransom notes. [1]
CryptoLocker2013E1486.001The malware launches Internet Explorer to show ransom notes. [2]
Locky Bart2017--Locky Bart encrypts files for ransom without any connection to the Internet. [3]
SamSam2015--SamSam encrypts data to hold for ransom. [4]
Netwalker2020--Netwalker encrypts files for ransom. [5]
WannaCry2017--WannaCry encrypts files for ransom. [6]

Detection

Tool: CAPEMappingAPIs
mass_data_encryptionData Encrypted for Impact (E1486)CryptEncrypt
ransomware_dmalockerData Encrypted for Impact (E1486)RegSetValueExA
ransomware_revil_regkeyData Encrypted for Impact (E1486)--
ransomware_radamantData Encrypted for Impact (E1486)--
ransomware_extensionsData Encrypted for Impact (E1486)--
sodinokibi_behaviorData Encrypted for Impact (E1486)bind, RegSetValueExW, WinHttpOpen, NtCreateUserProcess, CreateProcessInternalW
ransomware_messageData Encrypted for Impact (E1486)NtWriteFile
ransomware_filesData Encrypted for Impact (E1486)--
ransomware_file_modificationsData Encrypted for Impact (E1486)NtWriteFile, MoveFileWithProgressW, NtCreateFile, MoveFileWithProgressTransactedW

References

[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/

[2] https://www.secureworks.com/research/cryptolocker-ransomware

[3] https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/

[4] https://www.cisa.gov/uscert/ncas/alerts/AA18-337A

[5] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html

[6] https://www.mandiant.com/resources/blog/wannacry-malware-profile