MITRE ATT&CK Technique
Description
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-03-15T13:59:30.390Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may encrypt data on target systems or on large '
'numbers of systems in a network to interrupt availability to '
'system and network resources. They can attempt to render '
'stored data inaccessible by encrypting files or data on local '
'and remote drives and withholding access to a decryption key. '
'This may be done in order to extract monetary compensation '
'from a victim in exchange for decryption or a decryption key '
'(ransomware) or to render data permanently inaccessible in '
'cases where the key is not saved or transmitted.(Citation: '
'US-CERT Ransomware 2016)(Citation: FireEye WannaCry '
'2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT '
'SamSam 2018)\n'
'\n'
'In the case of ransomware, it is typical that common user '
'files like Office documents, PDFs, images, videos, audio, '
'text, and source code files will be encrypted (and often '
'renamed and/or tagged with specific file markers). '
'Adversaries may need to first employ other behaviors, such as '
'[File and Directory Permissions '
'Modification](https://attack.mitre.org/techniques/T1222) or '
'[System '
'Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), '
'in order to unlock and/or gain access to manipulate these '
'files.(Citation: CarbonBlack Conti July 2020) In some cases, '
'adversaries may encrypt critical system files, disk '
'partitions, and the MBR.(Citation: US-CERT NotPetya 2017) '
'Adversaries may also encrypt virtual machines hosted on ESXi '
'or other hypervisors.(Citation: Crowdstrike Hypervisor '
'Jackpotting Pt 2 2021) \n'
'\n'
'To maximize impact on the target organization, malware '
'designed for encrypting data may have worm-like features to '
'propagate across a network by leveraging other attack '
'techniques like [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078), [OS '
'Credential '
'Dumping](https://attack.mitre.org/techniques/T1003), and '
'[SMB/Windows Admin '
'Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: '
'FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) '
'Encryption malware may also leverage [Internal '
'Defacement](https://attack.mitre.org/techniques/T1491/001), '
'such as changing victim wallpapers or ESXi server login '
'messages, or otherwise intimidate victims by sending ransom '
'notes or other messages to connected printers (known as '
'"print bombing").(Citation: NHS Digital Egregor Nov '
'2020)(Citation: Varonis)\n'
'\n'
'In cloud environments, storage objects within compromised '
'accounts may also be encrypted.(Citation: Rhino S3 Ransomware '
'Part 1) For example, in AWS environments, adversaries may '
'leverage services such as AWS’s Server-Side Encryption with '
'Customer Provided Keys (SSE-C) to encrypt data.(Citation: '
'Halcyon AWS Ransomware 2025)',
'external_references': [{'external_id': 'T1486',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1486'},
{'description': 'Baskin, B. (2020, July 8). TAU '
'Threat Discovery: Conti Ransomware. '
'Retrieved February 17, 2021.',
'source_name': 'CarbonBlack Conti July 2020',
'url': 'https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/'},
{'description': 'Berry, A., Homan, J., and Eitzman, '
'R. (2017, May 23). WannaCry Malware '
'Profile. Retrieved March 15, 2019.',
'source_name': 'FireEye WannaCry 2017',
'url': 'https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html'},
{'description': 'Gietzen, S. (n.d.). S3 Ransomware '
'Part 1: Attack Vector. Retrieved '
'April 14, 2021.',
'source_name': 'Rhino S3 Ransomware Part 1',
'url': 'https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/'},
{'description': 'Halcyon RISE Team. (2025, January '
'13). Abusing AWS Native Services: '
'Ransomware Encrypting S3 Buckets '
'with SSE-C. Retrieved March 18, '
'2025.',
'source_name': 'Halcyon AWS Ransomware 2025',
'url': 'https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c'},
{'description': 'Jason Hill. (2023, February 8). '
'VMware ESXi in the Line of '
'Ransomware Fire. Retrieved March 26, '
'2025.',
'source_name': 'Varonis',
'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'},
{'description': 'Michael Dawson. (2021, August 30). '
'Hypervisor Jackpotting, Part 2: '
'eCrime Actors Increase Targeting of '
'ESXi Servers with Ransomware. '
'Retrieved March 26, 2025.',
'source_name': 'Crowdstrike Hypervisor Jackpotting '
'Pt 2 2021',
'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'},
{'description': 'NHS Digital. (2020, November 26). '
'Egregor Ransomware The RaaS '
'successor to Maze. Retrieved '
'December 29, 2020.',
'source_name': 'NHS Digital Egregor Nov 2020',
'url': 'https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary'},
{'description': 'US-CERT. (2016, March 31). Alert '
'(TA16-091A): Ransomware and Recent '
'Variants. Retrieved March 15, 2019.',
'source_name': 'US-CERT Ransomware 2016',
'url': 'https://www.us-cert.gov/ncas/alerts/TA16-091A'},
{'description': 'US-CERT. (2017, July 1). Alert '
'(TA17-181A): Petya Ransomware. '
'Retrieved March 15, 2019.',
'source_name': 'US-CERT NotPetya 2017',
'url': 'https://www.us-cert.gov/ncas/alerts/TA17-181A'},
{'description': 'US-CERT. (2018, December 3). Alert '
'(AA18-337A): SamSam Ransomware. '
'Retrieved March 15, 2019.',
'source_name': 'US-CERT SamSam 2018',
'url': 'https://www.us-cert.gov/ncas/alerts/AA18-337A'}],
'id': 'attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:49:16.589Z',
'name': 'Data Encrypted for Impact',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Oleg Kolesnikov, Securonix',
'Mayuresh Dani, Qualys',
'Harshal Tupsamudre, Qualys',
'Travis Smith, Qualys',
'ExtraHop'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'IaaS', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.5'}