T1486 Data Encrypted for Impact in MITRE ATT&CK Explained

What Is T1486 Data Encrypted for Impact in MITRE ATT&CK?

T1486 Data Encrypted for Impact is a technique in the MITRE ATT&CK framework under the Impact tactic. This technique involves adversaries using ransomware or other malicious tools to encrypt data on compromised systems, rendering it inaccessible to the victim. The attackers typically demand a ransom for the decryption key, often threatening data destruction or public release if the payment is not made.

Adversaries commonly target sensitive files, databases, or entire systems and may use encryption algorithms like AES or RSA to lock the data. This technique is a hallmark of ransomware attacks, where the goal is to extort payment while holding data hostage.

Adversary Use of T1486 Data Encrypted for Impact

Adversaries employ encryption algorithms to disrupt operations and extort victims for financial gain. In ransomware attacks, attackers use various encryption methods to lock victim data, making it unusable without the decryption key. These attacks often leverage advanced cryptographic techniques for increased speed, security, and efficiency.

Ransomware groups typically use multiple encryption algorithms to ensure maximum effectiveness, combining speed and complexity. This method allows them to exploit vulnerabilities in the victim's infrastructure and hold critical information hostage until the ransom is paid.

There are two popular approaches in cryptographic encryption algorithms.

Symmetric encryption is best suited for bulk encryption because it is substantially faster than asymmetric encryption. Also, the file size after encryption is smaller when symmetric encryption is used. In order to efficiently carry out ransomware attacks, threat actors will often utilize symmetric encryption, which allows for faster encryption and exfiltration of the victim's files. Although symmetric encryption is faster and more efficient, it has two main limitations:

• Key distribution problem: The encryption key is the only thing that ensures privacy in symmetric encryption, and the secrecy of the encryption key is paramount for the confidentiality of the encrypted data. If the encryption key is revealed to a third party while in transit or on disk, encrypted files can be decrypted easily. Therefore, distributing the encryption key is a challenge that ransomware operators need to overcome.
• Key management problem: Using different encryption keys for different encryption operations is a common best practice for symmetric encryption. However, this practice creates a key management problem as the number of encryption keys grows for each encryption operation. For ransomware, threat actors must create different encryption keys for each infected host and keep all the keys secret; otherwise, victims can decrypt all the data using the revealed key.

Hybrid-Encryption Ransomware Families

Ransomware operators rely on asymmetric encryption to address the key distribution and management challenges inherent to symmetric encryption. Although asymmetric encryption is computationally slower, it allows operators to safely embed a public key on infected systems, as victims cannot decrypt their files without access to the corresponding private key.

In a typical ransomware attack, the payload first encrypts files using a symmetric algorithm and a randomly generated secret key. That secret key is then encrypted with an attacker-controlled public key specific to the compromised host.

For instance, the use of AES-256 for bulk file encryption and RSA (commonly 2048-bit) for key protection aligns with established practices observed across modern hybrid-encryption ransomware families and is well documented in technical analyses and emulation studies.

Below are the most active ransomware groups of 2025 that implemented hybrid encryption methods.

Wiper Malware Families

In another use case, adversaries abuse data encryption to destroy victims' data. In data destruction attacks, adversaries irreversibly encrypt files with keyless encryption techniques and leave their victims without a way to decrypt their files. Geopolitical tensions around the world led to the rise of data wiper malware.

Here are some of the recent wiper malware examples:

• Anubis Ransomware (includes a wiper mode) [7]
• Sandworm APT (deploying ZEROLOT and Sting wiper malware) [8]
• PathWiper Malware [9]

Built-in Windows APIs for Encryption

Built-in Windows APIs allow users to utilize both symmetric and asymmetric encryption algorithms such as DES, 3DES, RC2, RC4, and RSA. Adversaries abuse this feature in their data encryption operations. For example, BlueSky and Nefilim abuse Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data with the following API functions [10], [11].

• Initializing and connecting to the cryptographic service provider: CryptAcquireContext
• Calculating the hash of the plain text key: CryptCreateHash, CryptHashData
• Creating the session key: CryptDeriveKey
• Encrypt data: CryptEncrypt
• Clear tracks: CryptDestroyHash, CryptDestroyKey, CryptReleaseContext

Ransomware operators frequently query unique system information to generate distinct identifiers for infected hosts. These identifiers allow them to track compromised systems and manage the encryption and decryption processes.

For example, an analysis from March 2025 revealed that the Earth Alux APT group queries the MachineGUID value from the Windows Registry [12], utilizing it as a persistent, unique identifier for each target host.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] K. Dunham, “Lessons from Qilin: What the Industry’s Most Efficient Ransomware Teaches Us,” Qualys, Jun. 18, 2025. Available: https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses. [Accessed: Dec. 22, 2025]

[2] “Medusa.” Available: https://www.halcyon.ai/threat-group/medusa. [Accessed: Dec. 22, 2025]

[3] S. Ö. Hacıoğlu, “RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024,” Feb. 18, 2025. Available: https://www.picussecurity.com/resource/blog/ransomhub. [Accessed: Nov. 04, 2025]

[4] S. Ö. Hacıoğlu, “Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants,” May 02, 2025. Available: https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants. [Accessed: Nov. 03, 2025]

[5] P. Labs, “The LockBit Comeback: How the Group Evolved After a Global Takedown,” Dec. 05, 2025. Available: https://www.picussecurity.com/resource/blog/the-lockbit-comeback-how-the-group-evolved-after-a-global-takedown. [Accessed: Dec. 22, 2025]

[6] F. Chassignol, “Lynx ransomware: INC’s successor revolutionizes double extortion,” SOS Ransomware, Sep. 05, 2025. Available: https://sosransomware.com/en/ransomware-groups/lynx-ransomware-incs-successor-revolutionizes-double-extortion/. [Accessed: Dec. 22, 2025]

[7] S. Ö. Hacıoğlu, “Anubis Ransomware Targets Global Victims with Wiper Functionality,” Jun. 27, 2025. Available: https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality. [Accessed: Nov. 05, 2025]

[8] J.-I. Boutin, “ESET APT Activity Report Q2 2025–Q3 2025.” Available: https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2025-q3-2025/. [Accessed: Dec. 22, 2025]

[9] Available: https://www.trellix.com/blogs/research/dcom-abuse-and-network-erasure-with-trellix-ndr/. [Accessed: Dec. 22, 2025]

[10] S. Ozarslan, “How to Beat Nefilim Ransomware Attacks,” Dec. 03, 2020. Available: https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks. [Accessed: Jan. 09, 2023]

[11] A. Unnikrishnan, “Technical Analysis of BlueSky Ransomware,” CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity, Oct. 14, 2022. Available: https://cloudsek.com/technical-analysis-of-bluesky-ransomware/. [Accessed: Jan. 09, 2023]

[12] “The Espionage Toolkit of Earth Alux A Closer Look at its Advanced Techniques,” Trend Micro, Mar. 31, 2025. Available: https://www.trendmicro.com/ru_ru/research/25/c/the-espionage-toolkit-of-earth-alux.html. [Accessed: Dec. 22, 2025]