Last reviewed:
T1486 is data encryption for impact: the canonical ransomware technique. Cloud variants include attackers using customer-managed KMS keys to re-encrypt S3 objects, Azure blob containers re-encrypted with attacker-controlled keys, and Google Cloud Storage object replacement. DCV separates T1486 from T1485 via the KMS lifecycle: GCP KMS_KEY_DESTROYED and FSBP KMS controls flag the encryption-key abuse path. Cloud ransomware is a different problem than endpoint ransomware; the detection axis is key lifecycle, not file activity.
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").
In cloud environments, storage objects within compromised accounts may also be encrypted. For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.
Platforms: ESXi, IaaS, Linux, macOS, Windows.
DCV maps 48 detections across 2 cloud providers to T1486. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 21 | 0.65 |
| AWS Security Hub | AWS | 16 | 0.80 |
| AWS GuardDuty | AWS | 8 | 0.88 |
| GCP Security Command Center | GCP | 2 | 0.77 |
| GCP Chronicle | GCP | 1 | 0.95 |
CloudSigma has coverage metadata for 48 T1486 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1486, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1486 is data encryption for impact: the canonical ransomware technique. Cloud variants include attackers using customer-managed KMS keys to re-encrypt S3 objects, Azure blob containers re-encrypted with attacker-controlled keys, and Google Cloud Storage object replacement. DCV separates T1486 from T1485 via the KMS lifecycle: GCP KMS_KEY_DESTROYED and FSBP KMS controls flag the encryption-key abuse path. Cloud ransomware is a different problem than endpoint ransomware; the detection axis is key lifecycle, not file activity.
DCV maps 48 cloud-native detections to T1486 across 2 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, GCP Chronicle and GCP Security Command Center.
T1486 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1486 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.