& Encrypt Files for Ransom (mobile)

From ema
Jump to navigation Jump to search
EMA ID: ema-1122
Description: The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system.

This is currently an ATT&CK Mobile technique. For malware, it should be extended to ATT&CK Enterprise.

A better name might be "Encrypt Files."

Associated Attributes: Common: applicable platform, Common: encryption algorithm, Common: technique
Associated Capabilities/Subcapabilities: Capability.png Effects

Notes: The encryption process usually follows the general pattern:
  • Iterate over all letter drives in the system (except for CD drives)
  • Recursively encrypt all files with specific suffixes
Associated With & Encrypt Files for Ransom (mobile)
BehaviorInstance-Windows.png CryptoAPI