Applied Cybernetics Group
T1486 — Data Encrypted for Impact
- Technique
T1486- Tactics
- Impact
- MISP citations
- 0
- KEV CVEs mapped
- 15
- Community rules
- 16
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1486
MITRE description
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2023-38831CVE-2023-36884CVE-2023-28252CVE-2023-27532CVE-2023-0669CVE-2022-22947CVE-2021-45046CVE-2021-44228CVE-2021-42258CVE-2021-34473CVE-2020-1472CVE-2019-11634CVE-2016-1019CVE-2015-8651CVE-2009-3960
Detection coverage
SigmaHQ community rules
- WannaCry Ransomware Activity (emerging-threats)
- LockerGoga Ransomware Activity (emerging-threats)
- Potential Conti Ransomware Activity (emerging-threats)
- BlueSky Ransomware Artefacts (emerging-threats)
- FunkLocker Ransomware File Creation (emerging-threats)
- Suspicious Creation TXT File in User Desktop (threat-hunting)
- Antivirus Ransomware Detection (core)
- AWS EC2 Disable EBS Encryption (core)
- AWS KMS Imported Key Material Usage (core)
- Microsoft 365 - Potential Ransomware Activity (core)
- Suspicious Appended Extension (core)
- Load Of RstrtMgr.DLL By A Suspicious Process (core)
- Load Of RstrtMgr.DLL By An Uncommon Process (core)
- Portable Gpg.EXE Execution (core)
- Suspicious Reg Add BitLocker (core)
- Renamed Gpg.EXE Execution (core)