Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)
In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement protects against Data Encrypted for Impact through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
PR.DS-11.01 | Data backup and replication | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement provides protection from adversaries that may encrypt data on target systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. Implementing data backup or disaster recovery plan can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
References
|
ID.IM-02.06 | Accurate data recovery | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to target data on encrypted systems by using ransomware.
References
|
PR.IR-04.02 | Availability and capacity management | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to wiping disk data on system and network resources. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CP-07 | Alternate Processing Site | mitigates | T1486 | Data Encrypted for Impact | |
CP-10 | System Recovery and Reconstitution | mitigates | T1486 | Data Encrypted for Impact | |
CP-02 | Contingency Plan | mitigates | T1486 | Data Encrypted for Impact | |
CP-06 | Alternate Storage Site | mitigates | T1486 | Data Encrypted for Impact | |
CP-09 | System Backup | mitigates | T1486 | Data Encrypted for Impact | |
SI-03 | Malicious Code Protection | mitigates | T1486 | Data Encrypted for Impact | |
SI-07 | Software, Firmware, and Information Integrity | mitigates | T1486 | Data Encrypted for Impact | |
CM-02 | Baseline Configuration | mitigates | T1486 | Data Encrypted for Impact | |
SI-04 | System Monitoring | mitigates | T1486 | Data Encrypted for Impact | |
AC-03 | Access Enforcement | mitigates | T1486 | Data Encrypted for Impact | |
AC-06 | Least Privilege | mitigates | T1486 | Data Encrypted for Impact |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2021-42258 | BQE BillQuick Web Suite SQL Injection Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server
References
|
CVE-2023-28252 | Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges.
This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs.
Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:
References
|
CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. CVE-2020-1472 has been reported to be exploited by Ransomware groups for initial access.
References
|
CVE-2015-8651 | Adobe Flash Player Integer Overflow Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
|
CVE-2023-38831 | RARLAB WinRAR Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
References
|
CVE-2023-36884 | Microsoft Windows Search Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key.
The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts.
This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption.
The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
References
|
CVE-2023-0669 | Fortra GoAnywhere MFT Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited through a cross-site request forgery (CSRF) flaw in GoAnywhere's license installation process. Attackers initiate this vulnerability by leveraging the absence of CSRF protection, allowing them to execute remote code without authentication. This enables them to compromise targeted systems, facilitating ransomware attacks and unauthorized access. This vulnerability has been actively exploited, leading to ransomware attacks by the Clop group.
References
|
CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.
References
|
CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware
References
|
CVE-2016-1019 | Adobe Flash Player Arbitrary Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
|
CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | primary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine.
This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.
References
|
CVE-2022-22947 | VMware Spring Cloud Gateway Code Injection Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.
References
|
CVE-2021-45046 | Apache Log4j2 Deserialization of Untrusted Data Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE 2021-45046 is a Log4J-related vulnerability that has been seen to be used in cryptomining and ransomware operations.
References
|
CVE-2023-27532 | Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Ransomware | Ransomware (encrypt or seize stored data) | related-to | T1486 | Data Encrypted for Impact | |
attribute.availability.variety.Interruption | Interruption | related-to | T1486 | Data Encrypted for Impact | |
attribute.availability.variety.Obscuration | Conversion or obscuration (ransomware) | related-to | T1486 | Data Encrypted for Impact |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1486 | Data Encrypted for Impact |
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to delete private key(s) required to decrypt content.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1486 | Data Encrypted for Impact |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
azure_backup | Azure Backup | technique_scores | T1486 | Data Encrypted for Impact |
Comments
Data backups provide a significant response to data encryption/ransomware by enabling the restoration of data from backup.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
backup_and_dr_actifiogo | Backup and DR-Actifio GO | technique_scores | T1486 | Data Encrypted for Impact |
Comments
Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary maliciously encrypting system data since an organization could restore data back to the latest backup.
References
|
google_secops | Google Security Operations | technique_scores | T1486 | Data Encrypted for Impact |
Comments
Google Security Ops is able to trigger an alert based on suspicious events related to ransomware campaigns (e.g., $selection.target.file.md5 = "0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/darkgate_cryptocurrency_mining_and_ransomware_campaign__sysmon.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/formbook_malware__sysmon.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1486 | Data Encrypted for Impact |
Comments
The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Impact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux
References
|
aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1486 | Data Encrypted for Impact |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is encrypted (e.g., ransomware), AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|
aws_config | AWS Config | technique_scores | T1486 | Data Encrypted for Impact |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront.
Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial.
References
|
aws_rds | AWS RDS | technique_scores | T1486 | Data Encrypted for Impact |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1486 | Data Encrypted for Impact |
Comments
This control can detect a range of ransomware-related activities including encryption. Relevant alert include "Ransomware activities" and "Unusual file deletion activity (by user)".
References
|