Encrypt Files

An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.

ID: T1471

Tactic Type:  Post-Adversary Device Access

Tactic: Effects

Platform:  Android

MTC ID:  APP-28

Version: 2.0

Mitigations

MitigationDescription
Application VettingMaggi and Zanero describe a static analysis approach that may be able to identify ransomware apps that encrypt user files on the device.[2]

Examples

NameDescription
Xbot

Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[1]

References