Data Encrypted for Impact
Ransomware-style encryption of victim data.
§ Where this technique fits
T1486 is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 12 approved dossiers in the registry, typically at step 5.2 on average.
Authoritative reference: attack.mitre.org/techniques/T1486/.
§ Dossiers chaining this technique
- step 4 / 5
LoRaWAN replay → spoof environmental sensor
Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.
- step 4 / 4
Uninitialised UUPS proxy implementation → brick contracts
UUPS upgradeable contracts must initialise the implementation contract itself. If skipped, anyone can call `initialise()` and become its owner — then call `selfdestruct` to brick every proxy referencing it (Parity Multisig 2017).
- step 4 / 6
ESXiArgs — OpenSLP unauth RCE → ransomware
Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.
- step 5 / 5
TRITON-class SIS reprogram → disable safety shutdown
After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope.
- step 5 / 5
BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
- step 5 / 5
Open MongoDB → dump every collection
Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.
- step 5 / 5
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
- step 6 / 6
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- step 6 / 6
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- step 6 / 6
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- step 6 / 6
vCenter pre-auth RCE → root on every ESXi → mass encrypt
Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.
- step 6 / 6
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.
§ What commonly comes next
- 01ESXi Mass-Encrypt Ransomwareseen 1×HV-ESXI-RANSOM · Impact