Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0603: Analytic 0603

Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops.

EnterpriseAN0603AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it describes Linux host activity consistent with data encryption at scale: custom or common tools such as openssl, gpg, or aescrypt recursively encrypting user or system directories, potentially overwriting data and dropping ransom notes. For leaders, the decision value is not attribution; it is whether the organization can see, contain, and recover from destructive encryption behavior before business-critical Linux services, file stores, or operational systems are materially disrupted.

Executive priority

Prioritize this as an operational resilience and incident response readiness question for Linux environments. Executives should ask whether critical Linux systems have endpoint/file activity telemetry, tested backup and restore paths, and clear escalation criteria for rapid mass-encryption behavior. Because the ATT&CK object provides no tactic, relationship, or official detection logic, this should be treated as a validation prompt for control coverage rather than evidence of a specific threat campaign.

Technical view

SOC and detection teams should validate monitoring for Linux processes invoking encryption utilities or unknown binaries against broad directory trees, especially when paired with high-volume file rewrites, extension or content changes, and ransom note creation. IR teams should confirm they can quickly identify affected paths, running processes, parent process context, user account context, and whether overwrite behavior occurred. Tuning should account for legitimate administrative encryption, backup, archive, and compliance workflows that may use openssl, gpg, or similar tools.

Likely telemetry

  • Linux process execution events, including command-line arguments and parent process context
  • File creation, modification, rename, overwrite, and deletion activity across user and system directories
  • High-volume or recursive filesystem activity indicators
  • User/session context for processes performing encryption-related actions
  • Ransom note file creation evidence, such as unusual text or instruction files appearing across directories

Detection direction

  • Validate whether Linux endpoint telemetry captures command lines for openssl, gpg, aescrypt, and custom or unknown encryption binaries.
  • Correlate encryption-tool execution with recursive access to user or system directories and large volumes of file modifications or overwrites.
  • Look for ransom note drops in multiple directories as corroborating evidence rather than relying on tool name alone.
  • Create allowlists or baselines for approved encryption, backup, and administrative jobs to reduce false positives.
  • Test visibility on critical Linux servers specifically; workstation-focused telemetry may miss the business systems where this behavior is most damaging.

Mitigation priorities

  • Ensure critical Linux systems are covered by endpoint logging or EDR capable of process and file activity collection.
  • Maintain tested, recoverable backups with appropriate separation from systems that could be encrypted or overwritten.
  • Restrict unnecessary use of encryption utilities and execution of unapproved binaries on sensitive Linux hosts where operationally feasible.
  • Harden privileged access and service account usage so broad directory encryption requires strong authorization and is more visible.
  • Define incident runbooks for rapid isolation, evidence preservation, scope assessment, and recovery when mass file encryption is suspected.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux and describes encryption via custom or open-source tools, recursive targeting of user or system directories, overwrite of existing data, and ransom note drops. There are no supplied relationships, tactics, mitigations, procedure examples, or official detection text, so this take focuses on defensive validation and telemetry readiness rather than campaign-specific interpretation.

This assessment is limited to the supplied STIX fields and external reference for AN0603. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection. Local environment context is required to distinguish malicious encryption from legitimate encryption, backup, archival, or administrative activity.

Official MITRE ATT&CK definition

Analytic 0603

Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cc4e36b64071ba1f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cc4e36b64071…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0603
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use