T1486: Data Encrypted for Impact

T1486 is categorized under the Impact tactic in MITRE ATT&CK. It describes adversaries encrypting data on target systems or across entire networks to interrupt availability and extort victims. While the technique is synonymous with ransomware, it also encompasses destructive encryption — "wiper" attacks disguised as ransomware where no functional decryption key exists and the intent is permanent data destruction rather than payment collection.

The ransomware threat landscape in 2025-2026 is defined by two parallel trends that appear contradictory but are strategically coherent. On one hand, encryption-based ransomware attacks remain as prevalent as ever, with Qilin (946 exposures), Akira (717 exposures), and a resurgent LockBit 5.0 driving record victim counts. On the other hand, a growing number of threat actors are abandoning encryption entirely in favor of pure data theft and extortion — stealing sensitive data and threatening public release without ever deploying an encryptor. Groups like Cl0p (Snakefly) and ShinyHunters have pioneered this model, exploiting zero-day vulnerabilities in enterprise file transfer platforms to exfiltrate data at scale. Both approaches share the same objective: financial extortion. The difference is operational: encryption disrupts operations immediately and creates urgency, while theft-only extortion avoids the detection risks associated with deploying ransomware payloads across hundreds of endpoints.

How Data Encryption for Impact Works

The encryption phase is the culmination of an attack chain that typically spans days to weeks. By the time the encryptor runs, the attacker has already achieved their pre-encryption objectives:

Phase 1 — Pre-Encryption Preparation. Before deploying the encryptor, ransomware operators systematically disable the organization's ability to recover. This includes deleting Volume Shadow Copies (vssadmin delete shadows /all /quiet), disabling Windows Recovery Environment (bcdedit /set {default} recoveryenabled No), stopping backup services, deleting backup catalogs, and terminating processes that hold file locks on targeted data. Conti and Royal ransomware use the RmShutDown API to kill applications like databases and email servers that lock critical files. This phase also includes disabling endpoint protection through BYOVD (Bring Your Own Vulnerable Driver) attacks — Medusa's ABYSSWORKER driver and RansomHub's EDRKillShifter are purpose-built tools for neutralizing EDR agents before encryption begins.

Phase 2 — File Enumeration and Targeting. The encryptor enumerates the file system to identify targets. Typical targets include Office documents, PDFs, images, videos, databases (.sql, .mdb, .mdf), source code, email archives, and backup files. Sophisticated encryptors maintain exclusion lists to preserve system operability — skipping critical Windows system files, boot records (unless intentional), and the ransomware binary itself. File extension targeting, directory exclusion, and file size thresholds are all configurable in modern RaaS platforms.

Phase 3 — Encryption Execution. The encryptor applies a hybrid cryptographic scheme: a fast symmetric algorithm (AES-256, ChaCha20, or Salsa20) encrypts each file's contents, then the symmetric key is encrypted with an asymmetric algorithm (RSA-2048 or RSA-4096, or Curve25519 for newer variants) using the attacker's public key. This hybrid approach provides the speed of symmetric encryption with the key management security of asymmetric encryption — only the attacker's private key can decrypt the per-file symmetric keys. Encrypted files are typically renamed with a group-specific extension (.qilin, .akira, .lockbit, .medusa) and a ransom note is dropped in each affected directory.

Phase 4 — Propagation. To maximize impact, ransomware spreads laterally across the network. WannaCry and NotPetya used worm-like propagation via the EternalBlue SMB exploit (MS17-010). Modern ransomware operators propagate through Valid Accounts (T1078) combined with SMB shares (T1021.002), PsExec, WMI, Group Policy Objects (GPOs), and remote management tools. BlackSuit campaigns have used Ansible to deploy ransomware across ESXi hosts, encrypting hundreds of virtual machines in a single operation. In cloud environments, attackers who compromise management consoles can encrypt S3 buckets using server-side encryption with customer-provided keys (SSE-C), as documented by Halcyon in January 2025.

Encryption Methods

Ransomware groups compete on encryption speed and security. Faster encryption means less time for defenders to detect and interrupt the attack. Stronger encryption means no possibility of recovery without the decryption key.

Ransomware	Symmetric Algorithm	Asymmetric Algorithm	Notes
Qilin (Agenda)	AES-256-CTR or ChaCha20	RSA-4096	Rust-based variant harder to analyze. Configurable encryption modes: full, partial (first N bytes), or intermittent (every Nth block).
Akira	ChaCha20	RSA-4096	Cross-platform (Windows + Linux/ESXi). Uses intermittent encryption for speed. Demands $200K-$600K, often negotiates down.
LockBit 3.0/5.0	AES-256 or ChaCha20	RSA-2048	Leaked builder spawned dozens of derivative strains (SuperBlack, BrainCipher). LockBit 5.0 released September 2025.
Medusa	AES-256	RSA-2048	Uses BYOVD (ABYSSWORKER) to disable EDR. 500+ victims as of January 2026. Lazarus/Stonefly now deploying Medusa.
RansomHub	Curve25519-based	Curve25519	EDRKillShifter for defense evasion. Shut down April 2025; affiliates migrated to Qilin and DragonForce.
DragonForce	AES-256	RSA-2048	White-label RaaS "cartel" model. Affiliates can brand attacks as their own. 212% spike in June 2025.
Embargo	ChaCha20	Curve25519	Rust-based. Emerged May 2024. Custom tooling for EDR evasion and defense disabling.

Intermittent encryption has become the dominant speed optimization strategy. Rather than encrypting entire files, the encryptor encrypts only portions — the first megabyte, every other 64KB block, or alternating sections. This produces encryption speeds that can process an entire enterprise file server in minutes rather than hours, drastically reducing the window for detection and response. The tradeoff is that partially encrypted files may be partially recoverable in certain cases, but for operational disruption purposes, a file that is 10% corrupted is just as unusable as one that is 100% encrypted.

Target Environments

ESXi and Virtualization Infrastructure

VMware ESXi servers have become a primary target for ransomware operators because encrypting the hypervisor encrypts every virtual machine running on it — potentially taking down dozens of servers with a single encryptor execution. Akira, BlackSuit, LockBit, Play, and Scattered Spider (using BlackCat and DragonForce) all target ESXi specifically. Attack patterns include SSH tunneling to ESXi hosts, disabling the ESXi firewall, stopping virtual machine processes, and encrypting VMDK files. FIN7 deployed a customized Darkside variant specifically designed for ESXi disk encryption. Ansible-based mass deployment to ESXi hosts was observed in BlackSuit campaigns, automating encryption across entire virtualization clusters.

Cloud Infrastructure (IaaS)

Cloud ransomware represents the newest frontier. In January 2025, Halcyon documented attackers abusing AWS S3 server-side encryption with customer-provided keys (SSE-C) to encrypt cloud storage buckets. The attacker uploads their own encryption key through the AWS API, S3 encrypts the data using that key, and the original data becomes inaccessible without the attacker's key. Because SSE-C is a legitimate AWS feature, the encryption is performed by AWS infrastructure itself — there is no malicious binary, no file system anomaly, and no endpoint to detect. This pattern will extend to Azure Blob Storage and Google Cloud Storage as cloud adoption increases.

Operational Technology and Industrial Control Systems

While ransomware rarely encrypts OT/ICS devices directly, the convergence of IT and OT networks means that IT-side encryption regularly cascades into operational disruption. Manufacturing, transportation, and energy organizations have experienced production shutdowns, logistics paralysis, and service interruptions when enterprise IT systems that interface with OT environments are encrypted. The Dragos Q1 2025 report documented manufacturing and transportation as the two most targeted sectors, with IT disruptions consistently cascading into OT environments.

Real-World Case Studies

Qilin — The New Market Leader

Qilin (also known as Agenda) rose to become the most prolific ransomware operation in 2025, claiming 946 victims — more than any other group. Originally developed in Go, Qilin transitioned to a Rust-based variant that is harder to reverse-engineer and detect. The group employs a double-extortion model: data is exfiltrated before encryption, and victims who refuse to pay face both permanent data loss and public exposure on Qilin's leak site. Qilin gained access primarily through exploiting vulnerabilities in Fortinet VPNs and Veeam Backup & Replication, then used credential theft and lateral movement to position the encryptor across the network. The Synnovis healthcare breach in the UK demonstrated Qilin's willingness to target critical services. Following RansomHub's closure in April 2025, Qilin aggressively recruited displaced affiliates, with monthly victim counts rising from 36 in Q1 to approximately 75 by Q3 2025. Moonstone Sleet, a North Korean group, has been observed deploying Qilin ransomware — marking another convergence between nation-state operations and the criminal ransomware ecosystem.

LockBit 5.0 — The Comeback

LockBit, once responsible for 20-30% of all ransomware victim postings, was severely disrupted by Operation Cronos in early 2024. Law enforcement compromised the administration panel, seized data, and made arrests. The disruption appeared definitive. But LockBit's core administrator (LockBitSupp) evaded capture, and in September 2025, LockBit 5.0 (also called ChuongDong) was released with updated capabilities. Check Point Research confirmed the revived operation targeted at least a dozen organizations through September 2025. The LockBit 3.0 builder leak from 2022 continues to proliferate across the ecosystem — spawning derivative strains including SuperBlack, BrainCipher, SenSayQ, and EstateRansomware, all sharing identical payload structure and encryption methods with modified branding.

Medusa — From RaaS to Nation-State Crossover

Medusa ransomware evolved from a standard RaaS operation into a platform with nation-state involvement. Over 500 organizations have been victimized as of January 2026, across healthcare, education, legal, insurance, technology, and manufacturing sectors. Medusa's operational sophistication includes BYOVD attacks using the ABYSSWORKER driver (signed with revoked Chinese vendor certificates) to disable EDR agents, PowerShell with escalating evasion complexity, and certutil-based payload staging documented in the CISA advisory AA25-071A. The most significant development is the Lazarus Group subunit Stonefly's adoption of Medusa for extortion campaigns targeting U.S. healthcare and nonprofit organizations since late 2025, with an average ransom demand of $260,000. A Stonefly member, Rim Jong Hyok, was indicted in July 2025 with a $10 million reward offered. The convergence of North Korean espionage infrastructure with criminal ransomware operations makes Medusa a uniquely dangerous threat.

DragonForce — The White-Label Cartel

DragonForce represents a new organizational model in the ransomware ecosystem: a self-described "cartel" offering white-label RaaS where affiliates can brand attacks as their own operations. Activity spiked 212% in June 2025, and the group claimed 56 victims in Q3 2025 alone. DragonForce announced partnerships and infrastructure-sharing with displaced LockBit and Qilin affiliates, and introduced a "data audit" service where affiliates who steal large datasets (typically over 300 GB from companies with over $15 million annual revenue) can submit the data for analysis to maximize extortion leverage. Scattered Spider has been observed deploying DragonForce ransomware against VMware ESXi servers.

Cl0p (Snakefly) — Encryption-Less Mass Extortion

While technically moving away from T1486, Cl0p's evolution illustrates the strategic context. Cl0p's 2025 campaign exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite for unauthenticated remote code execution, enabling mass data theft across hundreds of organizations. No encryption was deployed. The extortion model relied entirely on stolen data and threatened public release. The group previously used the same approach against MOVEit Transfer (2023) and Cleo MFT (2024-2025), establishing that encryption is a means to an end — financial extortion — not the objective itself. This is why T1486 usage is declining in malware samples even as total extortion attacks increase.

Detection Strategies

Detecting ransomware encryption in progress means the attack is already in its final phase. The most effective detection strategies focus on the pre-encryption behaviors — shadow copy deletion, service termination, EDR tampering — that create a narrow but critical window for response before encryption begins.

Key Event IDs and Indicators

Indicator	Source	Detection Value
Volume Shadow Copy deletion	Sysmon 1, Win 4688	vssadmin delete shadows or wmic shadowcopy delete execution is a near-universal pre-encryption indicator. Extremely high fidelity — legitimate shadow copy deletion is rare.
bcdedit recovery disable	Sysmon 1, Win 4688	bcdedit /set recoveryenabled No disables Windows Recovery Environment. Combined with shadow deletion, this is strong evidence of imminent encryption.
Mass file rename operations	Sysmon 11, MFT analysis	Hundreds or thousands of files renamed with a new extension (.qilin, .akira, .lockbit) within seconds. File rename velocity is a direct encryption-in-progress indicator.
Service and process termination	Win 7036, Sysmon 1	Rapid termination of database services (SQL, Oracle), email (Exchange), backup agents (Veeam, Commvault), and security tools immediately before file modification.
Vulnerable driver loading	Sysmon 6 (Driver Load)	BYOVD attacks load known-vulnerable kernel drivers to disable EDR. Monitor for driver loads from non-standard paths or with revoked/unexpected certificates.
Ransom note file creation	Sysmon 11	Creation of files named README.txt, RECOVER-FILES.txt, or similar across multiple directories simultaneously. Detection at this point means encryption is already underway.

SIEM Detection Queries

Pre-Encryption Shadow Copy and Recovery Deletion (Splunk) — detects the near-universal ransomware preparation step of deleting backup and recovery capabilities:

| Shadow copy deletion and recovery disabling
index=sysmon EventCode=1
    ((process_name="vssadmin.exe" CommandLine="*delete*shadows*")
     OR (process_name="wmic.exe" CommandLine="*shadowcopy*delete*")
     OR (process_name="bcdedit.exe" CommandLine="*recoveryenabled*No*")
     OR (process_name="wbadmin.exe" CommandLine="*delete*catalog*")
     OR (process_name="powershell.exe"
         CommandLine="*Get-WmiObject*Win32_ShadowCopy*Delete*"))
| stats count earliest(_time) as first_seen latest(_time) as last_seen
        values(process_name) as tools values(CommandLine) as commands
        by src_ip user
| where count >= 2
| sort first_seen

Mass File Encryption Detection (Splunk) — identifies rapid file modification patterns characteristic of active encryption:

| Rapid file modification indicating active encryption
index=sysmon EventCode=11
| bucket _time span=60s
| stats count dc(TargetFilename) as unique_files by _time src_ip
        process_name
| where unique_files > 100
| sort -unique_files

BYOVD Driver Load Detection (Splunk) — detects loading of kernel drivers from non-standard locations, a prerequisite for BYOVD-based EDR disabling:

| Suspicious kernel driver loading (BYOVD detection)
index=sysmon EventCode=6
| where NOT match(ImageLoaded,
    "(?i)(C:\\\\Windows\\\\System32\\\\drivers)")
| where match(ImageLoaded, "(?i)(\\\\Temp\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\|\\\\Users\\\\)")
| stats count values(ImageLoaded) as drivers by src_ip
| sort -count

Known Threat Actors

Threat Actor / Group	Attribution	T1486 Usage
Qilin (Agenda)	Financially motivated	946 victims in 2025. Rust-based encryptor. Double extortion. Moonstone Sleet (DPRK) deploying Qilin.
Akira	Financially motivated	717 victims in 2025. ChaCha20/RSA-4096. Cross-platform Windows + ESXi. Intermittent encryption for speed.
LockBit (Syrphid)	Financially motivated	LockBit 5.0 released September 2025. Leaked builder spawned 10+ derivative strains. Historically 20-30% market share.
Medusa	Financially motivated + DPRK (Stonefly)	500+ victims. BYOVD via ABYSSWORKER. CISA advisory AA25-071A. Lazarus/Stonefly crossover since late 2025.
DragonForce	Financially motivated	White-label RaaS cartel. 212% activity spike June 2025. Data audit extortion service for affiliates.
Scattered Spider	Financially motivated	Deployed BlackCat, DragonForce on VMware ESXi servers. Social engineering for initial access.
FIN7	Financially motivated	Custom Darkside variant for ESXi encryption. Sardonic backdoor delivering Noberus (ALPHV/BlackCat).
APT41 (Brass Typhoon)	China	Dual espionage/crime. Deployed ransomware in parallel with espionage operations. Failed encryption attempts documented.
Lazarus / Stonefly	North Korea	Medusa ransomware deployment. Rim Jong Hyok indicted July 2025. Healthcare and nonprofit targeting.
Magic Hound (APT35)	Iran	BitLocker and DiskCryptor abuse for destructive encryption against Middle Eastern targets.

Beyond these groups, T1486 is employed by every significant RaaS platform (INC Ransom, Play, SafePay, BlackSuit, Embargo, Lynx), commodity ransomware families (MAZE, Conti, REvil, WannaCry, NotPetya, Bad Rabbit), and an expanding set of nation-state actors using ransomware for either financial gain (North Korea) or destructive operations disguised as ransomware (Iran, Russia).

Defensive Recommendations

1. Implement immutable, offline, and air-gapped backups: The single most important ransomware control. Backups must be immutable (write-once, no modification after creation), stored offline or air-gapped from the production network, and tested regularly through full restoration exercises. Cloud backups must use separate credentials that are not accessible from the production domain. Backup integrity verification should be automated and alerting. Without recoverable backups, every ransomware incident becomes a payment negotiation.
2. Automate host isolation on pre-encryption indicators: Configure your EDR/SOAR platform to automatically isolate hosts that execute vssadmin delete shadows, bcdedit /set recoveryenabled No, or wbadmin delete catalog. This is the highest-confidence automated response available for ransomware — legitimate shadow copy deletion in production is extremely rare. The seconds between shadow deletion and encryption execution are your only intervention window.
3. Deploy EDR with anti-ransomware canary files: Configure EDR solutions with ransomware-specific detection modules that place canary files (honeypot documents) in directories that ransomware encryptors will target. Modification or encryption of canary files triggers immediate detection and response. This catches encryption in its first seconds, before it reaches critical data.
4. Protect against BYOVD attacks: Maintain a blocklist of known-vulnerable kernel drivers. Microsoft's Vulnerable Driver Blocklist (HVCI) should be enabled on all endpoints. Monitor Sysmon Event ID 6 for driver loads from non-standard paths. BYOVD is now a standard pre-encryption step for Medusa, RansomHub, and other groups — if the attacker cannot disable EDR, they often abort the encryption attempt.
5. Segment and harden ESXi and virtualization infrastructure: Place ESXi management interfaces on dedicated, isolated VLANs. Disable SSH access except when actively needed. Enable ESXi lockdown mode. Monitor for SSH connections to ESXi hosts from unexpected sources. Ensure ESXi is patched against known vulnerabilities. The encryption of a single ESXi host can take down the entire VM fleet running on it.
6. Implement cloud storage protection: For AWS S3, enable Object Lock (WORM/compliance mode) on critical buckets to prevent encryption or deletion. Enable S3 versioning with MFA-delete protection. Restrict SSE-C usage through IAM policies if the organization does not use customer-provided encryption keys. Apply equivalent controls to Azure Blob immutability policies and Google Cloud retention locks.
7. Reduce the blast radius through network segmentation: Segment the network to prevent ransomware propagation from a single compromised host to the entire environment. Restrict SMB, RDP, and WMI traffic between segments. Implement tier-zero isolation for Active Directory infrastructure. The difference between encrypting 50 endpoints and 5,000 endpoints is network segmentation.
8. Validate defenses through simulation: Use ransomware simulation tools (SafeBreach, AttackIQ, Picus, or open-source alternatives) to test your detection and response capabilities against specific ransomware group TTPs. Simulate shadow copy deletion, EDR disabling, mass file encryption, and lateral propagation. Measure mean-time-to-detect and mean-time-to-respond. The gap between "we have backups" and "we can restore from backups in 48 hours" is where business impact lives.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1486
Technique Name	Data Encrypted for Impact
Tactics	Impact
Platforms	Windows, Linux, macOS, ESXi, IaaS
Sub-Techniques	None (T1486 has no sub-techniques)
Data Sources	Cloud Storage (Modification), Command (Execution), File (Creation, Modification), Process (Creation), Network Share (Access)
Related Techniques	T1485 Data Destruction, T1490 Inhibit System Recovery, T1078 Valid Accounts, T1021.002 SMB/Windows Admin Shares
MITRE Reference	attack.mitre.org/techniques/T1486

Sources and References

• MITRE ATT&CK — T1486 Data Encrypted for Impact: attack.mitre.org
• Picus Security — Red Report 2026 and T1486 Technique Explained: picussecurity.com
• Picus Security — Top 10 Ransomware Groups of 2025: picussecurity.com
• Symantec/Broadcom — Ransomware: Tactical Evolution Fuels Extortion Epidemic (2026): security.com
• Check Point Research — State of Ransomware Q3 2025: research.checkpoint.com
• CISA/FBI — #StopRansomware: Medusa Ransomware (AA25-071A): cisa.gov
• Dragos — OT Ransomware Trends Q1 2025: dragos.com
• Halcyon — S3 Ransomware: Encrypting S3 Buckets with SSE-C (January 2025): halcyon.ai