T1486 Data Encrypted for Impact Mappings

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1486 Data Encrypted for Impact
AC-6 Least Privilege Protects T1486 Data Encrypted for Impact
CM-2 Baseline Configuration Protects T1486 Data Encrypted for Impact
CP-10 System Recovery and Reconstitution Protects T1486 Data Encrypted for Impact
CP-2 Contingency Plan Protects T1486 Data Encrypted for Impact
CP-6 Alternate Storage Site Protects T1486 Data Encrypted for Impact
CP-7 Alternate Processing Site Protects T1486 Data Encrypted for Impact
CP-9 System Backup Protects T1486 Data Encrypted for Impact
SI-3 Malicious Code Protection Protects T1486 Data Encrypted for Impact
SI-4 System Monitoring Protects T1486 Data Encrypted for Impact
SI-7 Software, Firmware, and Information Integrity Protects T1486 Data Encrypted for Impact
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1486 Data Encrypted for Impact
aws_rds AWS RDS technique_scores T1486 Data Encrypted for Impact
aws_config AWS Config technique_scores T1486 Data Encrypted for Impact
amazon_guardduty Amazon GuardDuty technique_scores T1486 Data Encrypted for Impact
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1486 Data Encrypted for Impact