Continue your mission
How attackers achieve their final objective through damage-causing techniques, covering the full spectrum from ransomware encryption to data destruction, wiper malware, cryptojacking, and account access removal, with detection strategies and the role of DPS backup integrity in recovery.
# Impact Techniques (MITRE ATT&CK TA0040)
Impact is the final tactic in the MITRE ATT&CK framework, Tactic TA0040. It covers the techniques adversaries use to achieve their operational objective by disrupting availability, destroying data, manipulating data, or monetizing access. Impact is where the attacker's purpose becomes apparent: financial extortion through ransomware, geopolitical signaling through data destruction, competitive intelligence theft through exfiltration, or unauthorized resource use through cryptojacking.
Every prior tactic, from initial access through collection, exists in service of impact. The reconnaissance, the lateral movement, the privilege escalation, the persistence mechanisms: all of it is infrastructure in support of the final objective. Understanding impact techniques is understanding what the attack was actually for.
MITRE ATT&CK TA0040 is unique in the framework because the techniques it contains produce consequences that cannot always be reversed. Data theft is harmful but the stolen data still exists. Encrypted data (ransomware) is recoverable with a decryption key or a backup. Destroyed data, overwritten with zeros or random bytes, may be permanently gone. Physical damage caused through cyber means (industrial control system attacks) is irreversible by definition. The spectrum runs from fully reversible to completely irreversible, and the position on that spectrum determines whether recovery is possible.
Within the Planetary Defense Model (PDM), impact detection is a TID responsibility, but impact recovery is a DPS (Data Protection and Sovereignty) problem. The two domains operate in coordination: TID detection aims to catch the precursor behaviors before impact executes, and DPS backup integrity verification ensures that when impact does execute, the recovery capability is intact.
T1486 (Data Encrypted for Impact) is the defining technique of ransomware attacks, the dominant financially motivated cyber threat for the past decade. The technique involves encrypting the victim's files and demanding payment for the decryption key.
Modern ransomware implementations use strong symmetric encryption, typically ChaCha20 or AES-256, to encrypt file contents. The symmetric key is itself encrypted with the attacker's asymmetric public key, meaning that decryption without the attacker's private key is computationally infeasible with current cryptographic methods. The ransom demand is the price of the private key.
Ransomware executes through a standardized operational sequence. First, backup deletion and shadow copy removal (T1490, covered below) ensures that recovery without payment is difficult or impossible. Second, network share enumeration identifies additional file stores to encrypt beyond the local machine. Third, the encryption routine processes target file extensions in order of estimated value, typically beginning with document formats (Office files, PDFs), databases, and configuration files before moving to less critical data. Finally, ransom notes are placed in encrypted directories and the desktop wallpaper is often replaced with the attacker's demands.
Major ransomware families in active deployment include LockBit (before the 2024 law enforcement operation), ALPHV/BlackCat (responsible for the Change Healthcare breach), Cl0p (responsible for the MOVEit breach), and RansomHub (which absorbed affiliates following ALPHV's disruption).
T1485 (Data Destruction) is fundamentally different from ransomware in intent and consequence. Where ransomware encrypts data for financial leverage, data destruction overwrites or deletes data with no monetization intent. The objective is denial: eliminating the organization's ability to operate, destroying evidence, or inflicting damage as a geopolitical or retaliatory act.
Wiper malware is the primary delivery mechanism for T1485. Wiper malware is designed to destroy data rather than encrypt it for ransom. The destruction may involve overwriting file contents with random data or zeros (making recovery impossible without bit-level forensics and a complete backup), corrupting the Master Boot Record (MBR) to prevent system boot, or deleting partition tables.
WhisperGate (January 2022) is the most recent high-profile example. In the weeks before Russia's full-scale invasion of Ukraine, WhisperGate wiper malware was deployed against Ukrainian government systems. WhisperGate masqueraded as ransomware (displaying a ransom note) but was actually a wiper: it corrupted the MBR and deleted files with no decryption mechanism. The ransom note was theater. The actual objective was destruction of Ukrainian government operational data.
NotPetya (2017) remains the most destructive wiper attack in recorded history. Deployed through a corrupted update to M.E.Doc (a Ukrainian accounting software), NotPetya spread automatically across networks using EternalBlue (exploiting MS17-010) and the Mimikatz credential extraction technique, then overwrote MBRs and encrypted file tables. NotPetya caused an estimated $10 billion in global damages, including the permanent loss of shipping giant Maersk's entire global IT infrastructure (which was rebuilt from scratch over approximately ten days).
Iran-linked attacks in the Middle East including Shamoon (against Saudi Aramco, 2012) and its successors followed a similar wiper pattern, targeting energy sector infrastructure for destructive impact.
T1491 (Defacement) targets the visible face of an organization's digital presence rather than its data. Website defacement replaces legitimate website content with attacker messaging, including political statements, propaganda, proof of access, or taunting. Internal system defacement modifies internal systems (internal portals, intranets, digital signage) for psychological impact.
Defacement is primarily used for propaganda, signaling, and psychological impact rather than direct financial gain. Nation-state actors use it for geopolitical messaging. Hacktivist groups use it for cause-based public communication. Criminal actors occasionally use it as extortion leverage (defacing a site and offering to restore it for payment).
The technical capability required for defacement is generally lower than for destructive attacks because it requires write access to web-facing content but not necessarily deep system access. Web application vulnerabilities (SQL injection, unrestricted file upload, compromised CMS credentials) frequently provide the access needed for defacement without full system compromise.
T1496 (Resource Hijacking) covers the unauthorized use of victim computing resources, most commonly for cryptocurrency mining (cryptojacking). The attacker does not seek to destroy or steal data. They want compute power and they are willing to pay for it with the victim's resources.
Cryptojacking impacts manifest as degraded system performance, elevated CPU and GPU utilization, higher electricity consumption, and accelerated hardware wear. In cloud environments, resource hijacking produces unexpectedly large cloud bills: the attacker is running compute workloads that the victim organization is paying for through their cloud provider billing.
Cloud environments are particularly attractive cryptojacking targets because they offer virtually unlimited compute resources. An attacker who compromises cloud credentials with the ability to launch compute instances can scale mining operations far beyond what local hardware would support, while the victim organization pays the cloud bill. Several major cloud compromises have resulted in six-figure and seven-figure unauthorized cloud charges before the activity was detected and terminated.
T1531 (Account Access Removal) is a technique used in destructive attacks to prevent the victim from responding and recovering. The attacker deletes or locks user and administrator accounts, disabling the organization's ability to authenticate and operate its own systems. In a ransomware context, account access removal forces the organization to negotiate with the attacker for access restoration. In a purely destructive context, it maximizes the disruption and delays recovery.
Account access removal may target all accounts (maximizing disruption), administrative accounts specifically (disabling the ability to remediate), or the accounts of specific individuals (preventing key personnel from responding). Combined with backup deletion and system encryption, account access removal can leave an organization without any viable path to recovery other than rebuilding from scratch.
T1490 (Inhibit System Recovery) is arguably the most operationally critical impact technique because it determines whether recovery without attacker cooperation is possible. It is also, by a significant margin, the most universally deployed technique in ransomware attacks.
The canonical implementation targets Windows Volume Shadow Copies (VSS). VSS is Windows' built-in snapshot mechanism, which automatically creates point-in-time copies of files when changes are made. VSS snapshots provide a recovery path for ransomware-encrypted files without a separate backup solution. Accordingly, virtually every ransomware strain deletes VSS snapshots before beginning encryption.
The command vssadmin delete shadows /all /quiet deletes all VSS snapshots silently. Variations include wmic shadowcopy delete, bcdedit /set {default} recoveryenabled no (disabling Windows Recovery Environment), and direct interaction with backup software management consoles to delete backup jobs, retention policies, and stored backups.
Some sophisticated ransomware operations target backup infrastructure specifically before deploying ransomware to the general network. Veeam, Commvault, Veritas NetBackup, and similar enterprise backup solutions have management consoles that, if compromised, allow deletion of backup repositories. Attacker playbooks for major ransomware groups explicitly include steps to identify and access backup management infrastructure before the main encryption phase.
Understanding where a given impact technique sits on the reversibility spectrum determines what recovery looks like and whether it is possible.
Data theft is harmful but the original data remains intact. The impact is reputational, regulatory, and competitive, but the organization's systems remain functional.
Ransomware encryption is reversible if the organization has a complete, tested, offline backup. The decryption key exists, held by the attacker. Recovery cost is either the ransom payment or the time and effort to restore from backup. Many organizations choose to pay because their backup infrastructure is inadequate (backup systems were also encrypted, backups were never tested and prove unrestorable, backup retention is insufficient to provide a clean restore point).
Data destruction by wiper is irreversible without a complete backup. There is no decryption key. The data does not exist in recoverable form. Recovery requires restoration from backup or, if no adequate backup exists, rebuilding from scratch. NotPetya victims who lacked adequate backups lost data permanently.
Physical damage via cyber means is irreversible by definition. Stuxnet (2010) caused physical destruction of uranium enrichment centrifuges at the Natanz facility in Iran by manipulating centrifuge operating parameters through compromised industrial control systems. The centrifuges were mechanically destroyed. Software cannot repair physical hardware that has been damaged by cyber-enabled manipulation of its operating parameters.
The backup deletion step (T1490) is not optional in modern ransomware operations. It is the step that determines whether the ransom demand is credible. If the victim has accessible, intact, tested backups, the ransom demand is ineffective: the victim can simply restore. The ransomware operator's leverage depends entirely on the absence of viable recovery alternatives.
The operational consequence for defenders is direct: backup integrity is the most important ransomware resilience control. Not detection, not prevention, not incident response planning. If backup integrity is maintained, ransomware is an expensive, disruptive incident with a known recovery path. If backup integrity fails, ransomware becomes an existential threat.
The 3-2-1 backup rule (three copies of data, on two different media types, with one copy offsite) exists precisely because ransomware targets online backup systems. Immutable backups (backups that cannot be deleted or modified for a defined retention period, enforced by the storage system or cloud service) are the current standard for ransomware-resilient backup architecture.
The use of wiper malware in geopolitical conflicts represents a distinct and escalating threat category. Wiper attacks against Ukraine (WhisperGate, HermeticWiper, CaddyWiper) in 2022 demonstrated the integration of destructive cyber operations into conventional military conflict. Wiper attacks are used to degrade adversary operational capability, destroy critical records, and create psychological disruption.
Organizations in sectors relevant to geopolitical conflicts (government, defense industrial base, energy, critical infrastructure, financial services) face a threat category where the attacker has no monetization motive. The goal is destruction. This threat profile requires a different defensive posture than financially motivated ransomware: the attacker will not accept payment and stop. Resilience, not negotiation, is the only available response.
Volume Shadow Copy deletion is one of the most reliable ransomware precursor signals available in Windows environments. The technique is nearly universal in ransomware attacks and has very limited legitimate use cases. System administrators deleting VSS snapshots is uncommon and typically performed through established change management processes rather than command-line execution.
Detection relies on monitoring for:
Process execution events (Windows Event ID 4688 or Sysmon Event ID 1) where the command line contains vssadmin delete, wmic shadowcopy delete, bcdedit /set recoveryenabled, or equivalent VSS deletion syntax. These should trigger high-priority alerts in any security monitoring environment.
Backup software management console access by non-administrative accounts or accounts that do not normally interact with backup software. Veeam, Commvault, and similar platforms have their own audit logs that record backup deletion and policy modification events.
Ransomware encryption produces detectable file system activity: the rapid creation of new files with novel extensions (the encrypted versions) combined with deletion of original files, often at volumes far exceeding normal user activity. Endpoint detection and response (EDR) platforms detect ransomware activity through behavioral rules that flag high-volume file modification activity, honeypot file creation (placing monitored canary files in common directories and alerting when they are modified), and entropy analysis (encrypted files have high entropy, identifiable through file system monitoring).
The challenge with ransomware detection is the speed of encryption. Modern ransomware can encrypt thousands of files per minute. Detection must trigger containment responses (network isolation, process termination) within seconds of detection to limit the scope of encryption.
Resource hijacking detection targets the resource consumption signature of mining activity: sustained high CPU or GPU utilization outside business hours, network connections to known cryptocurrency mining pools, and unexpected cloud compute instance launches. In cloud environments, cost anomaly detection is a high-value complementary control: unauthorized compute instance launches produce billing spikes that are detectable through cloud cost monitoring before the security team identifies the underlying cause.
Predictive Defense Intelligence (PDI) operates on the principle of early detection: seeing the threat before it achieves its objective. For impact techniques, this principle has an urgency that does not apply at earlier kill chain stages. A missed discovery detection delays the investigation. A missed impact technique detection allows irreversible damage to execute.
CDA's TID detection engineering prioritizes impact precursor behaviors, the techniques that immediately precede impact technique execution, as the highest-priority detection scenarios. VSS deletion is the clearest example: it almost exclusively appears in ransomware attack chains and almost always precedes encryption. A detection that fires on VSS deletion and triggers immediate endpoint isolation can interrupt a ransomware deployment before encryption begins.
Mission TID-H01 (threat detection engineering) explicitly includes detection rules for TA0040 impact technique precursors as a required component of detection engineering coverage. The detection objective is not to detect ransomware while it is encrypting files. It is to detect the backup deletion and shadow copy removal that always precedes ransomware encryption.
The DPS domain (Data Protection and Sovereignty) and its methodology, Sovereign Data Protocol (SDP), address the recovery side of the impact equation. "Your data lives where you decide. Period." In the context of ransomware resilience, this means: your backup data exists in locations you control, locations the attacker cannot reach and delete.
DPS mission DPS-B01 (backup architecture assessment) evaluates backup infrastructure against ransomware-resilient standards: immutability (can the backup be deleted by a compromised account?), isolation (is the backup reachable from the production network?), completeness (does the backup cover all critical systems?), and recoverability (has the backup been tested and verified to be restorable within required recovery time objectives?).
The TID and DPS domains operate in a defined relationship for ransomware scenarios: TID detection fires on precursor behaviors and triggers incident response, while DPS backup integrity determines whether the response includes a viable recovery path. Organizations that invest in TID detection without ensuring DPS backup integrity face a scenario where they detect the attack early enough to see it happening but lack the recovery capability to restore without paying the ransom.
MITRE ATT&CK. "Impact (TA0040)." MITRE Corporation, 2024. https://attack.mitre.org/tactics/TA0040/
CISA. "StopRansomware: ALPHV Blackcat (AA23-353A)." CISA, 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
Microsoft Security Response Center. "Destructive Malware Targeting Ukrainian Organizations." Microsoft, 2022. https://msrc.microsoft.com/blog/2022/01/
Sandvik, Runa. "NotPetya: How a Russian Malware Created the World's Worst Cyberattack." Wired, 2019. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Mandiant. "M-Trends 2024 Special Report." Google Cloud, 2024. https://www.mandiant.com/m-trends
CISA. "Advisory: ALPHV Blackcat Affiliates and Change Healthcare (AA24-131A)." CISA, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
CDA, LLC. "Sovereign Data Protocol (SDP) Methodology Reference." CDA Canon, 2026.
CDA, LLC. "Predictive Defense Intelligence (PDI) Methodology Reference." CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.