T1471: Data Encrypted for Impact

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

T1471: Data Encrypted for Impact

View on MITRE ATT&CK The MITRE Corporation · Published 25/10/2017 16:48 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID: T1471
Confidence: 100/100
Revoked: No
Published: 25/10/2017 16:48
Modified: 27/03/2026 01:41
Author / Source: The MITRE Corporation

Aliases

T1471

Platforms

android

Description

An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Kill chain phases

Kill chain	Phase
mitre-mobile-attack	impact

Marking (TLP)

External references

NIST Mobile Threat Catalogue (APP-28)
mitre-attack (T1471)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (20)

Cinnamon Tempest uses DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NoEscape uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel related Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Conti related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LV related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Royal Ransomware Group related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
YourCyanide related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–20 of 20

REvil uses
Raspberry Robin uses

Family
SodaMaster uses

Family The MITRE Corporation Confidence 100

[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
Linux uses

Family
ZeroCleare uses

Family The MITRE Corporation Confidence 100

[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CaddyWiper - S0693 uses

Family
Bumblebee uses
Cryptonite uses
Black Basta uses

Family The MITRE Corporation Confidence 100

[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Koxic uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NYX uses
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 8

49–60 of 85

Deep Dive Into Allegedly AI-Generated FunkSec Ransomware related

1 MITRE 1 Malware 1 Observable

Vulnerabilities (CVE) (6)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2021-40539 KEV targets

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-0796 KEV targets

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An …

Published: 10/02/2022
Modified: 20/12/2025

CVE-2017-10271 KEV targets

7.5 High

Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 19/10/2017
Modified: 22/04/2026

CWE-306

CVE-2022-21882 KEV targets

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Published: 04/02/2022
Modified: 20/12/2025

Tool (1)

Xbot uses

The MITRE Corporation Confidence 100

[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)

Contact About Legal notice Privacy policy Terms of use