| ID | E1485 |
| Objective(s) | Impact |
| Related ATT&CK Techniques | Data Destruction (T1485) |
| Impact Type | Availability |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.
See ATT&CK: Data Destruction (T1485).
| Name | ID | Description |
|---|---|---|
| Delete Application/Software | E1485.m03 | An application or software is deleted. |
| Delete Shadow Copies | E1485.m04 | Deletes shadow drive data, which is related to ransomware. |
| Empty Recycle Bin | E1485.m02 | Empties the recycle bin, which can be related to ransomware. |
| Name | Date | Method | Description |
|---|---|---|---|
| Shamoon | 2012 | -- | A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery. [1] |
| Rombertik | 2015 | -- | If a specific anti-analysis check fails, the malware will overwrite the Master Boot Record or the User's home folder [2] |
| BlackEnergy | 2007 | -- | BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents [3] |
| Conficker | 2008 | -- | Resets system restore points and deletes backup files [4] |
| MazarBot | 2016 | -- | Can erase phone data [5] |
[1] http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509
[2] https://blogs.cisco.com/security/talos/rombertik
[3] https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
[4] https://en.wikipedia.org/wiki/Conficker
[5] https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/
[6] https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow