MITRE ATT&CK T1486 Data Encrypted for Impact

Adversaries attack the availability of the data and services in target systems with malicious use of encryption. Since ransomware remains a financially lucrative business and rising geopolitical tensions have led to an increase in data destruction attacks, data encryption continues to be weaponized in their malware campaigns. 

In Red Report 2024, T1486 Data Encrypted for Impact is listed as the fifth most prevalent adversary technique, confirming that ransomware and data wiper malware trends are still a major threat to organizations and individuals.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Adversary Use of Data Encrypted for Impact

Adversaries utilize advanced encryption algorithms to render their victim's data useless. In ransomware attacks, adversaries hold the decryption key for ransom with the hopes of financial gain. The pattern in the infamous ransomware attacks shows that adversaries use multiple encryption algorithms for speed, security, and efficiency.

There are two popular approaches in cryptographic encryption algorithms:

Symmetric encryption algorithms use the same key for encryption and decryption processes. This key is also known as the secret key. AES, Blowfish, ChaCha20, DES, 3DES, and Salsa20 are some popular examples of symmetric algorithms.

Asymmetric encryption algorithms use a key pair called public and private keys for encryption and decryption, respectively. These algorithms are also known as public key encryption. RSA, ECDH, and ECDSA are popular asymmetric encryption algorithms. 

Symmetric encryption is best suited for bulk encryption because it is substantially faster than asymmetric encryption. Also, the file size after encryption is smaller when symmetric encryption is used. In order to efficiently carry out ransomware attacks, threat actors will often utilize symmetric encryption, which allows for faster encryption and exfiltration of the victim's files. Although symmetric encryption is faster and more efficient, it has two main limitations:

• Key distribution problem: The encryption key is the only thing that ensures privacy in symmetric encryption, and the secrecy of the encryption key is paramount for the confidentiality of the encrypted data. If the encryption key is revealed to a third party while in transit or on disk, encrypted files can be decrypted easily. Therefore, distributing the encryption key is a challenge that ransomware operators need to overcome.
• Key management problem: Using different encryption keys for different encryption operations is a common best practice for symmetric encryption. However, this practice creates a key management problem as the number of encryption keys grows for each encryption operation. For ransomware, threat actors must create different encryption keys for each infected host and keep all the keys secret; otherwise, victims can decrypt all the data using the revealed key.

Ransomware operators use asymmetric encryption to solve symmetric encryption's key distribution and management problems. Although slower than its alternative, asymmetric encryption allows ransomware operators to leave their public key in the infected hosts without worry since victims cannot decrypt their files without the private key.

In a typical ransomware attack, ransomware payload encrypts files with a symmetric encryption algorithm using a secret key. Then, the payload encrypts the secret key with a custom-created public key for the infected host. This combined use of both encryption algorithms is called the hybrid encryption approach. It helps ransomware operators leverage the fast encryption performance of symmetric encryption while using the strong security of asymmetric algorithms.

In another use case, adversaries abuse data encryption to destroy victims' data. In data destruction attacks, adversaries irreversibly encrypt files using the algorithm itself, but not supplying a private key to it (such as running AES without a secret key), and leave their victims without a way to decrypt their files. Geopolitical tensions around the world led to the rise of data wiper malware. 

Here are some of the recent wiper malware examples:

• Azov Wiper [7]
• AwfulShred [8]
• BiBi Wiper [9]
• CaddyWiper [10]
• No-Justice [11]
• WhisperGate [12]

Built-in Windows APIs allow users to utilize both symmetric and asymmetric encryption algorithms such as DES, 3DES, RC2, RC4, and RSA. Adversaries abuse this feature in their data encryption operations.

For example, BlueSky and Nefilim abuse Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data with the following API functions [13], [14].

• Initializing and connecting to the cryptographic service provider: CryptAcquireContext
• Calculating the hash of the plain text key: CryptCreateHash, CryptHashData
• Creating the session key: CryptDeriveKey
• Encrypt data: CryptEncrypt
• Clear tracks: CryptDestroyHash, CryptDestroyKey, CryptReleaseContext

Ransomware operators often query unique information to generate a unique identifier for infected hosts. Unique identifiers allow them to track infected hosts and encryption/decryption processes. For example, Zeppelin ransomware queries the MachineGUID value from the following registry key, as it is a unique identifier for each Windows host [15].

Security teams can monitor these API functions for ransomware detection.

References

[1] N. Shivtarkar and R. Dodia, “A Retrospective on AvosLocker,” Oct. 27, 2023.  https://www.zscaler.com/blogs/security-research/retrospective-avoslocker

[2] D. Sason, “BlackMatter Ransomware: In-Depth Analysis & Recommendations,” Nov. 02, 2021.  https://www.varonis.com/blog/blackmatter-ransomware

[3] “A Look at LockBit 3 Ransomware.”  https://redpiranha.net/news/look-lockbit-3-ransomware

[4] “A detailed analysis of the Money Message Ransomware,” SecurityScorecard, Sep. 14, 2023.  https://securityscorecard.com/resources/a-detailed-analysis-of-the-money-message-ransomware/

[5] “Dissecting Rancoz Ransomware,” Cyble, May 11, 2023.  https://cyble.com/blog/dissecting-rancoz-ransomware/

[6] Uptycs Threat Research, “RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs,” Apr. 26, 2023.  https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

[7] G. Revay, “The Year of the Wiper,” Fortinet Blog, Jan. 24, 2023.  https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper

[8] “Threat Update: AwfulShred Script Wiper,” Splunk-Blogs, Apr. 21, 2023.  https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html

[9] D. Bestuzhev, “BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows,” BlackBerry, Nov. 10, 2023.  https://blogs.blackberry.com/en/2023/11/bibi-wiper-used-in-the-israel-hamas-war-now-runs-on-windows

[10] I. Kulmin, “CaddyWiper makes Windows machines unusable,” Acronis.  https://www.acronis.com/en-us/cyber-protection-center/posts/caddywiper-makes-windows-machines-unusable/

[11] “No-Justice Wiper.”  https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf

[12] “2023 Data Breach Investigations Report (DBIR),” Verizon Enterprise Solutions, May 25, 2023.  https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf

[13] S. Ozarslan, “How to Beat Nefilim Ransomware Attacks,” Dec. 03, 2020.  https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks

[14] A. Unnikrishnan, “Technical Analysis of BlueSky Ransomware,” CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity, Oct. 14, 2022.  https://cloudsek.com/technical-analysis-of-bluesky-ransomware/

[15] H. C. Yuceel, “Zeppelin Ransomware Analysis, Simulation, and Mitigation,” Aug. 13, 2022.  https://www.picussecurity.com/resource/zeppelin-ransomware-analysis-simulation-and-mitigation