Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Suleyman Ozarslan, PhD | 4 MIN READ

LAST UPDATED ON OCTOBER 23, 2024

The Most Common Ransomware TTP - MITRE ATT&CK T1486 Data Encrypted for Impact

Ransomware is a major cyber threat to organizations and individuals around the world. Every day, its techniques and potency are improving. In our previous blog post, we talked about recent ransomware trends that are on the rise. In this blog post, we explained the most used MITRE ATT&CK technique used by ransomware in detail.

RedReport2024-mockup-small

 

  

The Red Report 2024
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW

T1486 Data Encrypted for Impact

While a small portion of ransomware are categorized as locker-ransomware, the majority of ransomware are categorized as crypto-ransomware. Crypto-ransomware utilizes encryption algorithms that are practically impossible to break when implemented correctly. According to the MITRE ATT&CK framework, this technique is called T1486 Data Encrypted for Impact, which covers encrypting data on target systems by threat actors to prevent access to the system and network resources. These attacks may be profit-oriented, as in ransomware attacks, or purely destructive in nature. This technique is the most distinctive ATTACK technique used by ransomware.

Numerous ransomware attacks have demonstrated that an organization's ability to operate is significantly impacted when its data is encrypted. Due to the increasing volume and impact of ransomware attacks in 2023, this technique makes a rapid entry to third place in The Red Report 2023 Top Ten MITRE ATTACK Techniques list.

In recent ransomware samples, adversaries use multiple encryption algorithms to maximize both encryption performance and security effectiveness. Moreover, this approach does not require an internet connection from the victim system for encryption. Use of multiple encryption algorithms is called the hybrid encryption approach. In the hybrid encryption approach, a ransomware executable encrypts files with a symmetric (secret key) encryption algorithm, then encrypts the secret key used in the symmetric encryption with an asymmetric (public key) encryption algorithm. Let’s define symmetric encryption and asymmetric encryption before explaining the hybrid encryption approach.

Symmetric (secret key) encryption

In symmetric encryption algorithms, the same secret key is used to encrypt and decrypt the data. This is why it is also known as secret key encryption. Usually, symmetric encryption is significantly faster than asymmetric encryption and it is best suited for bulk encryption of large amounts of data. Therefore, symmetric encryption is ideal for encrypting thousands of files in a short period, as required by ransomware. Moreover, symmetric algorithms generally provide a smaller file size that allows for faster transmissions and requires less storage space.

Despite its strong performance and high efficiency, symmetric encryption has two main limitations:

  • Key Distribution Problem: Confidentiality of the secret key in symmetric encryption is paramount. The encrypted files stay confidential to ransomware operators as long as the secret key is kept secret. However, securely distributing the secret key is challenging. For ransomware attacks, this limitation appears as keeping the secret key in the victim machine. A security researcher can find the secret key, and because it is not encrypted, create a tool for decrypting the files using the secret key.

  • Key Management Problem: Ransomware operators must generate a different secret key for each victim machine and keep track of each secret key. As ransomware spreads, key management gets more difficult with the increased number of victims. Using the same secret key is a huge risk for the ransomware operators. If they use the same key for all machines and the secret key is revealed on one of the machines, all files encrypted by the ransomware can be decrypted by using the revealed key.

Asymmetric (public key) encryption

In asymmetric encryption algorithms, the encryption and decryption processes involve two keys called public and private key pairs. The public key is used to encrypt the data and the corresponding private key is used to decrypt the encrypted data. Asymmetric encryption is also called public key encryption

The public key may be left in the victim machine because it is useless for the decryption process. The private key is not required to be stored and can be generated later. Therefore, asymmetric encryption does not share key distribution and management problems of symmetric encryption.

Despite these advantages, asymmetric encryption is usually significantly slower than symmetric encryption and requires more computing sources.

Hybrid encryption approach

Ransomware developers combine symmetric and asymmetric encryptions, a hybrid encryption approach, to eliminate the disadvantages of symmetric and asymmetric encryption techniques. 

  • They use a symmetric key algorithm for bulk encryption of files in the victim system, and use an asymmetric key algorithm to encrypt the secret key used by the symmetric algorithm. 
  • Therefore, ransomware developers leverage encryption performance of symmetric encryption while also utilizing strong security of asymmetric encryption.

The below table shows the symmetric and asymmetric encryption algorithms used by ransomware threat actors. 

  • AES (Advanced Encryption Standard), Salsa20, ChaCha20, RC4, and ChaCha8 are symmetric key algorithms, and 
  • RSA and ECDH (Elliptic Curve Diffie-Hellman) are asymmetric key algorithms used by adversaries.

Figure 1: Encryption algorithms used by Ransomware

How does ransomware encrypt victim assets? 

Ransomware mainly uses Windows APIs for both symmetric and asymmetric encryption algorithms. For example, Nefilim abuses Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data. The API functions used to encrypt data and clear tracks are listed below.

  • Initializing and connecting to the cryptographic service provider: CryptAcquireContext
  • Calculating hash of the plain text key: CryptCreateHash, CryptHashData
  • Creating the session key: CryptDeriveKey
  • Encrypt data: CryptEncrypt
  • Clear tracks: CryptDestroyHash, CryptDestroyKey, CryptReleaseContext

Learn more about Ransomware

Purple Academy by Picus has a new learning path about Ransomware. Check out our course on Ransomware Attacks: Basics, TTPs, and Countermeasures Course.

Ransomware Attacks: Basics, TTPs, and Countermeasures Course

Table of Contents

Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Emerging Threat Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Learn More
CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Learn More
cve-2025-32433-erlang
Emerging Threat CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Learn More
IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Emerging Threat IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Emerging Threat CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Learn More
Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A
Emerging Threat Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A
Learn More
Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Emerging Threat Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Learn More
Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Emerging Threat Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Learn More