Not all attackers are trying to exfiltrate data. In security, we’re all familiar with CIA triad—confidentiality, availability, and integrity. While Exfiltration describes adversarial behavior with the goal of violating confidentiality, attackers may look to manipulate, interrupt, or destroy your systems and data. The Impact tactic describes techniques that adversaries use to compromise the availability or integrity of your systems and data. This tactic was introduced to capture disruptive behavior such as ransomware, denial of service, and other destructive enterprise attacks that aren’t captured by the other ATT&CK tactics.
Over the past decade, the prevalence of ransomware has grown from an annoyance to a major crisis in no smart part due to the introduction of convenient and hard-to-trace payment systems such as cryptocurrencies like bitcoin. In late 2013, ZDNet estimated that the attackers behind Cryptolocker made off with $41.9 million over the span of three months. Ransomware such as Cryptolocker work by encrypting files located on connected drives, often using strong, sound cryptography. The encrypted files are inaccessible by the victims until they receive the decryption key, which attackers may or may not divulge upon payment. These keys are often randomly generated, so no single key will be usable by two different victims.
Best practices for mitigating Data Encrypted for Impact and data destruction techniques are good offline data backup schemes and restricting file and directory permissions. (See
mitre
framework
impact
