Data Encrypted for Impact

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

ID: T1471
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Version: 3.2
Created: 25 October 2017
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]

S1062 S.O.V.A.

S.O.V.A. has code to encrypt device data with AES.[2]

S0298 Xbot

Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[3]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.