# T1486 - Data Encrypted for Impact ## Description from ATT&CK > Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) > > In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) > > To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis) > > In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025) [Source](https://attack.mitre.org/techniques/T1486) ## Atomic Tests - [Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux)](#atomic-test-1-encrypt-files-using-gpg-freebsdlinux) - [Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux)](#atomic-test-2-encrypt-files-using-7z-freebsdlinux) - [Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux)](#atomic-test-3-encrypt-files-using-ccrypt-freebsdlinux) - [Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux)](#atomic-test-4-encrypt-files-using-openssl-freebsdlinux) - [Atomic Test #5: PureLocker Ransom Note](#atomic-test-5-purelocker-ransom-note) - [Atomic Test #6: Encrypt files using 7z utility - macOS](#atomic-test-6-encrypt-files-using-7z-utility---macos) - [Atomic Test #7: Encrypt files using openssl utility - macOS](#atomic-test-7-encrypt-files-using-openssl-utility---macos) - [Atomic Test #8: Data Encrypted with GPG4Win](#atomic-test-8-data-encrypted-with-gpg4win) - [Atomic Test #9: Data Encrypt Using DiskCryptor](#atomic-test-9-data-encrypt-using-diskcryptor) - [Atomic Test #10: Akira Ransomware drop Files with .akira Extension and Ransomnote](#atomic-test-10-akira-ransomware-drop-files-with-akira-extension-and-ransomnote) ### Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) Uses gpg to encrypt a file **Supported Platforms:** Linux **auto_generated_guid:** `7b8ce084-3922-4618-8d22-95f996173765` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | pwd_for_encrypted_file | the password that you want for the encrypted file | string | passwd| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.gpg| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd| | encryption_alg | encryption algorithm of the file | string | AES-256| #### Attack Commands: Run with `sh`! ```sh echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} ``` #### Cleanup Commands ```sh rm #{encrypted_file_path} ``` #### Dependencies: Run with `bash`! ##### Description: Finds where gpg is located ###### Check Prereq Commands ```bash which_gpg=`which gpg` ``` ###### Get Prereq Commands ```bash (which pkg && pkg install -y gnupg)||(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) ``` ### Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) Uses 7z to encrypt a file **Supported Platforms:** Linux **auto_generated_guid:** `53e6735a-4727-44cc-b35b-237682a151ad` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | pwd_for_encrypted_file | the password that you want for the encrypted file | string | passwd| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.zip| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd| #### Attack Commands: Run with `sh`! ```sh $which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path} ``` #### Cleanup Commands ```sh $which_7z e #{encrypted_file_path} rm #{encrypted_file_path} ``` #### Dependencies: Run with `bash`! ##### Description: Finds where 7z is located ###### Check Prereq Commands ```bash which_7z=`which 7z` ``` ###### Get Prereq Commands ```bash (which pkg && pkg install -y 7-zip) ``` ### Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. **Supported Platforms:** Linux **auto_generated_guid:** `08cbf59f-85da-4369-a5f4-049cffd7709f` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | cped_file_path | Path where you want your copied file to be | path | /tmp/passwd| | root_input_file_path | Path the target file to be encrypted. File will be copied to /tmp/ before encrypting | path | /etc/passwd| | pwd_for_encrypted_file | Password to use for encryption | string | passwd| #### Attack Commands: Run with `sh`! ```sh which_ccencrypt=`which ccencrypt` cp #{root_input_file_path} #{cped_file_path}; $which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path} ``` #### Cleanup Commands ```sh rm #{cped_file_path}.cpt ``` #### Dependencies: Run with `sh`! ##### Description: Finds where ccencrypt and ccdecrypt are located ###### Check Prereq Commands ```sh which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` ``` ###### Get Prereq Commands ```sh (which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) ``` ### Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) Uses openssl to encrypt a file **Supported Platforms:** Linux **auto_generated_guid:** `142752dc-ca71-443b-9359-cf6f497315f1` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | private_key_path | path to the private key | path | /tmp/key.pem| | public_key_path | path to the public key | path | /tmp/pub.pem| | encryption_bit_size | size of the bit of encryption | integer | 2048| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.zip| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd| #### Attack Commands: Run with `sh`! ```sh which_openssl=`which openssl` $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path} ``` #### Cleanup Commands ```sh $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path} rm #{encrypted_file_path} ``` #### Dependencies: Run with `bash`! ##### Description: Finds where openssl is located ###### Check Prereq Commands ```bash which_openssl=`which openssl` ``` ###### Get Prereq Commands ```bash ``` ### Atomic Test #5: PureLocker Ransom Note building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ **Supported Platforms:** Windows **auto_generated_guid:** `649349c7-9abf-493b-a7a2-b1aa4d141528` #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt ``` #### Cleanup Commands ```cmd del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 ``` ### Atomic Test #6: Encrypt files using 7z utility - macOS This test encrypts the file(s) using the 7z utility **Supported Platforms:** macOS **auto_generated_guid:** `645f0f5a-ef09-48d8-b9bc-f0e24c642d72` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_password | Password to be provided for archiving the file | string | ARTPass| | encrypted_file_name | Name of the archive to be created | string | ARTArchive.7z| | input_file_path | Path to the file that you want to encrypt | path | ~/test.txt| #### Attack Commands: Run with `sh`! ```sh 7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path} ``` #### Cleanup Commands ```sh rm #{encrypted_file_name} ``` #### Dependencies: Run with `sh`! ##### Description: Check if 7z command exists on the machine ###### Check Prereq Commands ```sh which 7z ``` ###### Get Prereq Commands ```sh echo Installing 7z, using brew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" brew install p7zip ``` ### Atomic Test #7: Encrypt files using openssl utility - macOS This test encrypts the file(s) using the openssl utility **Supported Platforms:** macOS **auto_generated_guid:** `1a01f6b8-b1e8-418e-bbe3-78a6f822759e` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | encryption_option | Specifiy the required encryption option | string | -pbkdf2| | input_file_path | Path to the file that you want to encrypt | path | ~/test.txt| | output_file_name | Path to the file that you want to encrypt | string | ARTFile| #### Attack Commands: Run with `sh`! ```sh openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name} ``` #### Cleanup Commands ```sh rm #{output_file_name} ``` ### Atomic Test #8: Data Encrypted with GPG4Win Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions. **Supported Platforms:** Windows **auto_generated_guid:** `4541e2c2-33c8-44b1-be79-9161440f1718` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | GPG_Exe_Location | Path of the GPG program | path | C:\Program Files (x86)\GnuPG\bin\gpg.exe| | File_to_Encrypt_Location | Path of File | path | $env:temp\test.txt| #### Attack Commands: Run with `powershell`! ```powershell Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`"" ``` #### Cleanup Commands ```powershell Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue ``` #### Dependencies: Run with `powershell`! ##### Description: GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails, try to install GPG4WIN manually at 'https://www.gpg4win.org/download.html'. Once done, run -CheckPrereqs to confirm that it works. ###### Check Prereq Commands ```powershell if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S ``` ### Atomic Test #9: Data Encrypt Using DiskCryptor DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation. **Supported Platforms:** Windows **auto_generated_guid:** `44b68e11-9da2-4d45-a0d9-893dabd60f30` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dcrypt_exe | The dcrypt.exe executable from dcrypt_setup.exe | path | dcrypt.exe| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}" ``` #### Dependencies: Run with `powershell`! ##### Description: dcrypt_setup will be installed at specified location (#{dcrypt_exe}) ###### Check Prereq Commands ```powershell if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell Write-Host Downloading DiskCryptor installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" Write-Host Install DiskCryptor Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s" ``` ### Atomic Test #10: Akira Ransomware drop Files with .akira Extension and Ransomnote Dropping 100 files with random content and .akira File Extension and the Akira Ransomnote to c:\ **Supported Platforms:** Windows **auto_generated_guid:** `ab3f793f-2dcc-4da5-9c71-34988307263f` #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell 1..100 | ForEach-Object { $out = new-object byte[] 1073741; (new-object Random).NextBytes($out); [IO.File]::WriteAllBytes("c:\test.$_.akira", $out) } echo "Hi friends" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Whatever who you are and what your title is if you' re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment. you have to know: " >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal" >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. [f you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them — in this case we won't be able to help. " >> $env:Userprofile\Desktop\akira_readme.txt echo "3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we' ve managed to detect and used in order to get into. identify backup solutions and upload your data." >> $env:Userprofile\Desktop\akira_readme.txt echo "4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes — generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones." >> $env:Userprofile\Desktop\akira_readme.txt echo "Then all of this will be published in our blog -" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt ``` #### Cleanup Commands ```powershell del $env:Userprofile\Desktop\akira_readme.txt del c:\test.*.akira ```