An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Anubis can use its ransomware module to encrypt device data and hold it for ransom.
Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component|
|DS0041||Application Vetting||API Calls|
Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.