1. Home
  2. ATT&CK Techniques
  3. T1486 Data Encrypted for Impact

T1486 Data Encrypted for Impact Mappings

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1486 Data Encrypted for Impact
Comments
Intel Threat Detection Technology's (Intel TDT) targeted malware detection solution applies machine learning to hardware telemetry derived from the CPU to detect sustained malicious code execution patterns, like ransomware and cryptomining, at runtime. Operating on CPU level data enables TDT to detect malware execution irrespective of deployment scheme, programming language or obfuscation schemes. This enables Microsoft Defender Antivirus to use Intel TDT to help rapidly detect and respond to these threats. Intel Threat Detection Technology (TDT) and CrowdStrike's Accelerated Memory Scanning (AMS): Defending Against Data Encrypted for Impact Attacks Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Data Encrypted for Impact attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Data Encrypted for Impact refers to the tactic used by adversaries to encrypt data or communication with the intent to cause operational disruption, evade detection, or increase the impact of a cyberattack. This can involve encrypting sensitive files to prevent access or exfiltration, or using encryption as a means to disguise malicious payloads, making it harder for security systems to detect or analyze the malicious data. Ransomware attacks, where data is encrypted and held hostage for a ransom, are a prime example of this tactic. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow. This detailed telemetry helps security teams quickly detect suspicious behaviors, such as the use of encryption algorithms, unauthorized encryption of sensitive data, or abnormal interactions with file systems that could indicate an attempt to encrypt or obfuscate data for malicious purposes.
References
  1. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf
  2. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  3. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  4. https://attack.mitre.org/techniques/T1204/002/
  5. https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
  6. https://learn.microsoft.com/en-us/defender-endpoint/hardware-acceleration-and-mdav
intel-tdt Intel Threat Detection Technology Microsoft Defender T1486 Data Encrypted for Impact
Comments
Intel Threat Detection Technology's (Intel TDT) targeted malware detection solution applies machine learning to hardware telemetry derived from the CPU to detect sustained malicious code execution patterns, like ransomware and cryptomining, at runtime. Operating on CPU level data enables TDT to detect malware execution irrespective of deployment scheme, programming language or obfuscation schemes. This enables Microsoft Defender Antivirus to use Intel TDT to help rapidly detect and respond to these threats. Intel Threat Detection Technology (TDT) and CrowdStrike's Accelerated Memory Scanning (AMS): Defending Against Data Encrypted for Impact Attacks Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Data Encrypted for Impact attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Data Encrypted for Impact refers to the tactic used by adversaries to encrypt data or communication with the intent to cause operational disruption, evade detection, or increase the impact of a cyberattack. This can involve encrypting sensitive files to prevent access or exfiltration, or using encryption as a means to disguise malicious payloads, making it harder for security systems to detect or analyze the malicious data. Ransomware attacks, where data is encrypted and held hostage for a ransom, are a prime example of this tactic. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow. This detailed telemetry helps security teams quickly detect suspicious behaviors, such as the use of encryption algorithms, unauthorized encryption of sensitive data, or abnormal interactions with file systems that could indicate an attempt to encrypt or obfuscate data for malicious purposes.
References
  1. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf
  2. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  3. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  4. https://attack.mitre.org/techniques/T1204/002/
  5. https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
  6. https://learn.microsoft.com/en-us/defender-endpoint/hardware-acceleration-and-mdav