Description
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
Platforms
Mitigations (1)
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has left taunting images and messages on the victims' desktops as proof of system access.(Cit... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) left ransom notes in all directories where encryption takes place.(Citation: FBI BlackByte 2022) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) replaced the background wallpaper of systems with a threatening image after rendering the syste... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) has the ability to modify the desktop wallpaper.(Citation: Fortinet Remcos Campaign NOV 2024) |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) renames disk labels on victim hosts to the threat actor's email address to enable the victim t... |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) has set the desktop wallpaper on victims' machines to display a ransom note.(Citation: Minerva ... |
| S0659 | Diavol | Malware | After encryption, [Diavol](https://attack.mitre.org/software/S0659) will capture the desktop background window, set the background color to black, an... |
| S9030 | SameCoin | Malware | [SameCoin](https://attack.mitre.org/software/S9030) can alter the victim’s background to display an image showing the name of Hamas’s military wing.(C... |
| S1150 | ROADSWEEP | Malware | [ROADSWEEP](https://attack.mitre.org/software/S1150) has dropped ransom notes in targeted folders prior to encrypting the files.(Citation: Microsoft A... |
| S0688 | Meteor | Malware | [Meteor](https://attack.mitre.org/software/S0688) can change both the desktop wallpaper and the lock screen image to a custom image.(Citation: Check P... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) has placed a ransom note on comrpomised systems to warn victims and provide directions for how to... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can change the desktop wallpaper on compromised hosts.(Citation: Microsoft BlackCat Jun 2022)(Cita... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can set the wallpaper on compromised hosts to display a ransom message in each encrypted folder.(Cita... |
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) has the ability to change the background wallpaper image to display the ransom note.(Citatio... |
References
- Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Frequently Asked Questions
What is T1491.001 (Internal Defacement)?
T1491.001 is a MITRE ATT&CK technique named 'Internal Defacement'. It belongs to the Impact tactic(s). An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to int...
How can T1491.001 be detected?
Detection of T1491.001 (Internal Defacement) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1491.001?
There are 1 documented mitigations for T1491.001. Key mitigations include: Data Backup.
Which threat groups use T1491.001?
Known threat groups using T1491.001 include: Gamaredon Group, BlackByte, Lazarus Group.