The Most Common Ransomware TTP - MITRE ATT&CK T1486 Data Encrypted for Impact

Ransomware is a major cyber threat to organizations and individuals around the world. Every day, its techniques and potency are improving. In our previous blog post, we talked about recent ransomware trends that are on the rise. In this blog post, we explained the most used MITRE ATT&CK technique used by ransomware in detail.

The Red Report 2023 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

T1486 Data Encrypted for Impact

While a small portion of ransomware are categorized as locker-ransomware, the majority of ransomware are categorized as crypto-ransomware. Crypto-ransomware utilizes encryption algorithms that are practically impossible to break when implemented correctly. According to the MITRE ATT&CK framework, this technique is called T1486 Data Encrypted for Impact, which covers encrypting data on target systems by threat actors to prevent access to the system and network resources. These attacks may be profit-oriented, as in ransomware attacks, or purely destructive in nature. This technique is the most distinctive ATTACK technique used by ransomware.

Numerous ransomware attacks have demonstrated that an organization's ability to operate is significantly impacted when its data is encrypted. Due to the increasing volume and impact of ransomware attacks in 2023, this technique makes a rapid entry to third place in The Red Report 2023 Top Ten MITRE ATTACK Techniques list.

In recent ransomware samples, adversaries use multiple encryption algorithms to maximize both encryption performance and security effectiveness. Moreover, this approach does not require an internet connection from the victim system for encryption. Use of multiple encryption algorithms is called the hybrid encryption approach. In the hybrid encryption approach, a ransomware executable encrypts files with a symmetric (secret key) encryption algorithm, then encrypts the secret key used in the symmetric encryption with an asymmetric (public key) encryption algorithm. Let’s define symmetric encryption and asymmetric encryption before explaining the hybrid encryption approach.

Symmetric (secret key) encryption

In symmetric encryption algorithms, the same secret key is used to encrypt and decrypt the data. This is why it is also known as secret key encryption. Usually, symmetric encryption is significantly faster than asymmetric encryption and it is best suited for bulk encryption of large amounts of data. Therefore, symmetric encryption is ideal for encrypting thousands of files in a short period, as required by ransomware. Moreover, symmetric algorithms generally provide a smaller file size that allows for faster transmissions and requires less storage space.

Despite its strong performance and high efficiency, symmetric encryption has two main limitations:

• Key Distribution Problem: Confidentiality of the secret key in symmetric encryption is paramount. The encrypted files stay confidential to ransomware operators as long as the secret key is kept secret. However, securely distributing the secret key is challenging. For ransomware attacks, this limitation appears as keeping the secret key in the victim machine. A security researcher can find the secret key, and because it is not encrypted, create a tool for decrypting the files using the secret key.

• Key Management Problem: Ransomware operators must generate a different secret key for each victim machine and keep track of each secret key. As ransomware spreads, key management gets more difficult with the increased number of victims. Using the same secret key is a huge risk for the ransomware operators. If they use the same key for all machines and the secret key is revealed on one of the machines, all files encrypted by the ransomware can be decrypted by using the revealed key.

Asymmetric (public key) encryption

In asymmetric encryption algorithms, the encryption and decryption processes involve two keys called public and private key pairs. The public key is used to encrypt the data and the corresponding private key is used to decrypt the encrypted data. Asymmetric encryption is also called public key encryption. 

The public key may be left in the victim machine because it is useless for the decryption process. The private key is not required to be stored and can be generated later. Therefore, asymmetric encryption does not share key distribution and management problems of symmetric encryption.

Despite these advantages, asymmetric encryption is usually significantly slower than symmetric encryption and requires more computing sources.

Hybrid encryption approach

Ransomware developers combine symmetric and asymmetric encryptions, a hybrid encryption approach, to eliminate the disadvantages of symmetric and asymmetric encryption techniques. 

• They use a symmetric key algorithm for bulk encryption of files in the victim system, and use an asymmetric key algorithm to encrypt the secret key used by the symmetric algorithm. 
• Therefore, ransomware developers leverage encryption performance of symmetric encryption while also utilizing strong security of asymmetric encryption.

The below table shows the symmetric and asymmetric encryption algorithms used by ransomware threat actors. 

• AES (Advanced Encryption Standard), Salsa20, ChaCha20, RC4, and ChaCha8 are symmetric key algorithms, and 
• RSA and ECDH (Elliptic Curve Diffie-Hellman) are asymmetric key algorithms used by adversaries.

Figure 1: Encryption algorithms used by Ransomware

How does ransomware encrypt victim assets? 

Ransomware mainly uses Windows APIs for both symmetric and asymmetric encryption algorithms. For example, Nefilim abuses Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data. The API functions used to encrypt data and clear tracks are listed below.

• Initializing and connecting to the cryptographic service provider: CryptAcquireContext
• Calculating hash of the plain text key: CryptCreateHash, CryptHashData
• Creating the session key: CryptDeriveKey
• Encrypt data: CryptEncrypt
• Clear tracks: CryptDestroyHash, CryptDestroyKey, CryptReleaseContext

Learn more about Ransomware

Purple Academy by Picus has a new learning path about Ransomware. Check out our course on Ransomware Attacks: Basics, TTPs, and Countermeasures Course.

Ransomware Attacks: Basics, TTPs, and Countermeasures Course