1. Home
  2. Techniques
  3. Mobile
  4. Data Encrypted for Impact

Data Encrypted for Impact

An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.

ID: T1471
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
MTC ID: APP-28
Version: 3.0
Created: 25 October 2017
Last Modified: 01 October 2019

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]
S0298 Xbot

Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.[2]

Mitigations

ID Mitigation Description
M1005 Application Vetting

A static analysis approach may be able to identify ransomware apps that encrypt user files on the device.[3]

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  2. Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.
  1. Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.