ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1486

术语表: /attack/glossary

加密数据以产生影响

攻击者可能会加密目标系统或网络中大量系统上的数据,以中断系统和网络资源的可用性。他们可以尝试通过加密本地和远程驱动器上的文件或数据并保留对解密密钥的访问来使存储的数据无法访问。这样做是为了从受害者那里获得金钱补偿,以换取解密或解密密钥(勒索软件),或者在未保存或传输密钥的情况下永久无法访问数据。对于勒索软件,通常会对常见用户文件(如Office文档,PDF,图片,视频,音频,文本和源代码文件)进行加密。在某些情况下,对手可能会加密关键的系统文件,磁盘分区和MBR。

为了最大限度地提高对目标组织的影响,设计用于加密数据的恶意软件可能具有蠕虫般的功能,可以利用有效的帐户,凭据转储和Windows管理员共享等其他攻击技术在网络上传播。

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.

标签

策略: 影响

平台: Linux,macOS,Windows

所需权限: user,administrator,root,SYSTEM

数据源: 内核驱动程序,文件监视,进程命令行参数,进程监视

影响类型: 可用性

缓解措施

减轻 描述
数据备份 考虑实施IT灾难恢复计划,其中包含定期获取和测试可用于还原组织数据的数据备份的过程。确保备份存储在系统之外,并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。
Mitigation Description
Data Backup Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

检测

使用进程监视来监视与数据销毁活动有关的二进制文件(例如vssadmin,wbadmin和bcdedit)的执行和命令行参数。监视可疑文件的创建以及异常文件修改活动。特别是,在用户目录中查找大量文件修改。

在某些情况下,监视异常的内核驱动程序安装活动可以帮助进行检测。

Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.

In some cases, monitoring for unusual kernel driver installation activity can aid in detection.