| ID | E1486 |
| Objective(s) | Impact |
| Related ATT&CK Techniques | Data Encrypted for Impact (T1486), Data Encrypted for Impact (Mobile) (T1471) |
| Impact Type | Availability |
| Version | 2.1 |
| Created | 1 August 2019 |
| Last Modified | 31 August 2023 |
Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.
See ATT&CK: Data Encrypted for Impact (T1486) and Data Encrypted for Impact (Mobile) (T1471)
| Name | ID | Description |
|---|---|---|
| Ransom Note | E1486.001 | Ransomware displays a ransom note. Ransom notes are sometimes used to link instances of ransomware, even when the code or anti-analysis techniques change. |
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoWall | 2014 | E1486.001 | The malware launches Internet Explorer to show ransom notes. [1] |
| CryptoLocker | 2013 | E1486.001 | The malware launches Internet Explorer to show ransom notes. [2] |
| Locky Bart | 2017 | -- | Locky Bart encrypts files for ransom without any connection to the Internet. [3] |
| SamSam | 2015 | -- | SamSam encrypts data to hold for ransom. [4] |
| Netwalker | 2020 | -- | Netwalker encrypts files for ransom. [5] |
| WannaCry | 2017 | -- | WannaCry encrypts files for ransom. [6] |
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[2] https://www.secureworks.com/research/cryptolocker-ransomware
[3] https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
[4] https://www.cisa.gov/uscert/ncas/alerts/AA18-337A
[5] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[6] https://www.mandiant.com/resources/blog/wannacry-malware-profile