Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4]
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.[5] In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[3]
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2][3] Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").[6]
In cloud environments, storage objects within compromised accounts may also be encrypted.[7]
ID | Name | Description |
---|---|---|
S1129 | Akira |
Akira encrypts victim filesystems for financial extortion purposes.[8] |
G1024 | Akira |
Akira encrypts files in victim environments as part of ransomware operations.[9] |
S1133 | Apostle |
Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.[10] |
G0082 | APT38 |
APT38 has used Hermes ransomware to encrypt files with AES256.[11] |
G0096 | APT41 |
APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[12] APT41 also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers.[13] |
S0640 | Avaddon |
Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.[14] |
S1053 | AvosLocker |
AvosLocker has encrypted files and network resources using AES-256 and added an |
S0638 | Babuk |
Babuk can use ChaCha8 and ECDH to encrypt data.[19][20][21][22] |
S0606 | Bad Rabbit |
Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[23] |
S0570 | BitPaymer |
BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending |
S1070 | Black Basta |
Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.[25][26][27][28][29][30][31][32][33] |
S1068 | BlackCat |
BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.[34] |
C0015 | C0015 |
During C0015, the threat actors used Conti ransomware to encrypt a compromised network.[35] |
C0018 | C0018 |
During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.[17][36] |
S1096 | Cheerscrypt |
Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.[37][38] |
S0611 | Clop |
Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.[39][40][41] |
S0575 | Conti |
Conti can use |
S0625 | Cuba |
Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files.[45] |
S1111 | DarkGate | |
S1033 | DCSrv |
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.[47] |
S0616 | DEATHRANSOM |
DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.[48] |
S0659 | Diavol |
Diavol has encrypted files using an RSA key though the |
S0554 | Egregor |
Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.[6][50] |
S0605 | EKANS |
EKANS uses standard encryption library functions to encrypt files.[51][52] |
G0046 | FIN7 |
FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[53][54] |
G0061 | FIN8 |
FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.[55] |
S0618 | FIVEHANDS |
FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.[48][56][57] |
S0617 | HELLOKITTY |
HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.[48] |
C0038 | HomeLand Justice |
During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[58][59][60] |
G1032 | INC Ransom |
INC Ransom has used INC Ransomware to encrypt victim's data.[61][62][63][64][65][66] |
S1139 | INC Ransomware |
INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.[61][62][65][66][61] |
G0119 | Indrik Spider |
Indrik Spider has encrypted domain-controlled systems using BitPaymer.[24] Additionally, Indrik Spider used PsExec to execute a ransomware script.[67] |
S0389 | JCry |
JCry has encrypted files and demanded Bitcoin to decrypt those files. [68] |
S0607 | KillDisk |
KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[69] |
S0372 | LockerGoga |
LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.[70][71][72] |
G0059 | Magic Hound |
Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. [73][74] |
S0449 | Maze |
Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[75] |
S0576 | MegaCortex |
MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[76][77] |
S1137 | Moneybird |
Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.[78] |
G1036 | Moonstone Sleet |
Moonstone Sleet has deployed ransomware in victim environments.[79] |
S0457 | Netwalker |
Netwalker can encrypt files on infected machines to extort victims.[80] |
S0368 | NotPetya |
NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[81][3][82] |
S0556 | Pay2Key |
Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.[83][84] |
S1162 | Playcrypt |
Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.[85][86] |
S1058 | Prestige |
Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with |
S0654 | ProLock |
ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.[88] |
S0583 | Pysa |
Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.[89] |
S0481 | Ragnar Locker |
Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.[90][91] |
S0496 | REvil |
REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[92][93][94][95][96][97][98][99] |
S1150 | ROADSWEEP |
ROADSWEEP can RC4 encrypt content in blocks on targeted systems.[58][59][60] |
S0400 | RobbinHood |
RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[100] |
S1073 | Royal |
Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.[101][102][103] |
S0446 | Ryuk |
Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[104][44] |
S0370 | SamSam |
SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[105] |
G0034 | Sandworm Team |
Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.[87] |
G1015 | Scattered Spider |
Scattered Spider has used BlackCat ransomware to encrypt files on VMWare ESXi servers.[106][107] |
S0639 | Seth-Locker |
Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth.[22] |
S0140 | Shamoon |
Shamoon has an operational mode for encrypting data instead of overwriting it.[108][109] |
S0242 | SynAck |
SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [110] |
G0092 | TA505 |
TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[111] |
S0595 | ThiefQuest |
ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.[112] |
S0366 | WannaCry |
WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[113][2][114] |
S0612 | WastedLocker |
WastedLocker can encrypt data and leave a ransom note.[115][116][117] |
S0341 | Xbash |
Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[118] |
S0658 | XCSSET |
XCSSET performs AES-CBC encryption on files under |
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. [120] |
M1053 | Data Backup |
Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.[121] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.[122] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0010 | Cloud Storage | Cloud Storage Modification |
Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified. |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit |
DS0022 | File | File Creation |
Monitor for newly constructed files in user directories. |
File Modification |
Monitor for changes made to files in user directories. |
||
DS0033 | Network Share | Network Share Access |
Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. |
DS0009 | Process | Process Creation |
Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. |