Detection coverage in DCV across AWS, Azure and GCP for Data Encrypted for Impact, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").
In cloud environments, storage objects within compromised accounts may also be encrypted. For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.
Platforms: ESXi, IaaS, Linux, macOS, Windows.
DCV maps 48 detections across 2 cloud providers to T1486. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 21 | 0.65 |
| AWS Security Hub | AWS | 16 | 0.80 |
| AWS GuardDuty | AWS | 8 | 0.88 |
| GCP Security Command Center | GCP | 2 | 0.77 |
| GCP Chronicle | GCP | 1 | 0.95 |
CloudSigma ships 3 production-ready Sigma rules that detect T1486 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Suspicious Encryption Key Operations for Ransomware Impact
id: bf7f980e-c07b-47e8-97df-e7a7ae0c4a05
status: experimental
description: Detects suspicious encryption operations including applying custom encryption to S3 buckets and KMS key operations
that may indicate data encryption for impact. Adversaries may encrypt data to render it inaccessible.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1486/
- https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
tags:
- attack.impact
- attack.t1486
logsource:
product: aws
service: cloudtrail
detection:
selection_s3:
eventSource: s3.amazonaws.com
eventName:
- PutBucketEncryption
selection_kms:
eventSource: kms.amazonaws.com
eventName:
- CreateKey
- DisableKeyRotation
condition: selection_s3 or selection_kms
falsepositives:
- Legitimate encryption configuration by security teams
- Automated key management operations
level: medium