T1486: Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").
In cloud environments, storage objects within compromised accounts may also be encrypted.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_impact: PT-CR-1996: Creation_Of_Many_Identical_Files: A large number of files (over 200) with the same name was created in different directories in a short period of time. This may indirectly indicate cryptolocker activity. When encrypting files, cryptolockers create files with the same name that contain attackers' demands in each encrypted directory.
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit |
|---|
| ID | DS0033 | Data source and component | Network Share: Network Share Access | Description | Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. |
|---|
| ID | DS0010 | Data source and component | Cloud Storage: Cloud Storage Modification | Description | Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified. |
|---|
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files in user directories. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files in user directories. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. |
|---|
Mitigation
| ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. |
|---|
| ID | M1053 | Name | Data Backup | Description | Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects. |
|---|