An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis |
Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1] |
| S1062 | S.O.V.A. | |
| S0298 | Xbot |
Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[3] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0678 | Detection of Data Encrypted for Impact | AN1781 |
An application with access to broad file scopes or sensitive storage areas becomes active, performs abnormal burst file reads and writes across many user or shared-storage locations, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media processing, or document-editing behavior. The defender correlates capability state, app lifecycle, framework use, bulk file-write effects, and optional network communications to distinguish encrypt-for-impact behavior from benign bulk file operations. |