Description
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis)
In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025)
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.(Citation: win10_asr) In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets.(Citation: Halcyon AWS Ransomware 2025)
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used Hermes ransomware to encrypt files with AES256.(Citation: FireEye APT38 Oct 2018) |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used [INC Ransomware](https://attack.mitre.org/software/S1139) to encrypt victim's data.(Citat... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized legitimate disk encryption utilities to increase likelihood of encrypting system ... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used BitLocker and DiskCryptor to encrypt targeted workstations. (Citation: DFIR Phosphorus N... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used [BlackCat](https://attack.mitre.org/software/S1068) and DragonForce ransomware to e... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.(Citation: Cro... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath,... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has encrypted files using AES-256 encryption which then appends the file extension “.medusa” to ... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used [Prestige](https://attack.mitre.org/software/S1058) ransomware to encrypt data at targ... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) encrypts files in victim environments as part of ransomware operations.(Citation: BushidoToken Akira 20... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to the deployment of [Black Basta](https://attack.mitre.o... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has encrypted domain-controlled systems using [BitPaymer](https://attack.mitre.org/software/S05... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom n... |
| G1050 | Water Galura | [Water Galura](https://attack.mitre.org/groups/G1050) has encrypted files on victim networks through the generation of [Qilin](https://attack.mitre.or... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used a wide variety of ransomware, such as [Clop](https://attack.mitre.org/software/S0611), Locky, ... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has deployed ransomware such as [Ragnar Locker](https://attack.mitre.org/software/S0481), White Rabbit, ... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) has deployed ransomware in victim environments.(Citation: Microsoft Moonstone Sleet 2024) |
Associated Software (62)
| ID | Name | Type | Context |
|---|---|---|---|
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom ... |
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) has encrypted files and disks using AES-128-CBC and RSA-2048.(Citation: Secure List Bad Rabbit) |
| S0595 | ThiefQuest | Malware | [ThiefQuest](https://attack.mitre.org/software/S0595) encrypts a set of file extensions on a host, deletes the original files, and provides a ransom n... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) encrypts files on the local machine and mapped drives prior to displaying a note demanding a ... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) is ransomware using a shared key across victims for encryption.(Citation: Trustwave Bl... |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL l... |
| S0389 | JCry | Malware | [JCry](https://attack.mitre.org/software/S0389) has encrypted files and demanded Bitcoin to decrypt those files. (Citation: Carbon Black JCry May 2019... |
| S0638 | Babuk | Malware | [Babuk](https://attack.mitre.org/software/S0638) can use ChaCha8 and ECDH to encrypt data.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAf... |
| S1137 | Moneybird | Malware | [Moneybird](https://attack.mitre.org/software/S1137) targets a common set of file types such as documents, certificates, and database files for encryp... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can incorporate a ransom command to encrypt specified files and folders.(Citation: Kaspersky LODE... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) can encrypt files on victim systems and demands a ransom to decrypt the files.(Citation: Kaspersky So... |
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with "... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) has the ability to encrypt system data and add the ".cuba" extension to encrypted files.(Citation: McA... |
| S1162 | Playcrypt | Malware | [Playcrypt](https://attack.mitre.org/software/S1162) encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file p... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) can deploy follow-on ransomware payloads.(Citation: Ensilo Darkgate 2018) |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) has the ability to encrypt Windows devices, Linux devices, and VMWare instances.(Citation: Microso... |
| S1058 | Prestige | Malware | [Prestige](https://attack.mitre.org/software/S1058) has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended f... |
| S0372 | LockerGoga | Malware | [LockerGoga](https://attack.mitre.org/software/S0372) has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitc... |
| S0616 | DEATHRANSOM | Malware | [DEATHRANSOM](https://attack.mitre.org/software/S0616) can use public and private key pair encryption to encrypt files for ransom payment.(Citation: F... |
| S0605 | EKANS | Malware | [EKANS](https://attack.mitre.org/software/S0605) uses standard encryption library functions to encrypt files.(Citation: Dragos EKANS)(Citation: Palo A... |
References
- Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021.
- Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.
- Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.
Frequently Asked Questions
What is T1486 (Data Encrypted for Impact)?
T1486 is a MITRE ATT&CK technique named 'Data Encrypted for Impact'. It belongs to the Impact tactic(s). Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessibl...
How can T1486 be detected?
Detection of T1486 (Data Encrypted for Impact) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1486?
There are 2 documented mitigations for T1486. Key mitigations include: Behavior Prevention on Endpoint, Data Backup.
Which threat groups use T1486?
Known threat groups using T1486 include: APT38, INC Ransom, VOID MANTICORE, Magic Hound, Scattered Spider, FIN7, Storm-0501, Medusa Group.