1. Home
  2. Techniques
  3. Mobile
  4. Data Encrypted for Impact

Data Encrypted for Impact

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

ID: T1471
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
MTC ID: APP-28
Version: 3.2
Created: 25 October 2017
Last Modified: 20 March 2023
Version Permalink

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]
S1062 S.O.V.A.

S.O.V.A. has code to encrypt device data with AES.[2]
S0298 Xbot

Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  2. Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.
  1. Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.