AN0604: Analytic 0604
Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using `srm`, `gpg`, or compiled payloads. Often correlated with ransom note creation in multiple directories.
Analyst context for executives and security teams
This analytic describes macOS ransomware-like file encryption behavior affecting user areas such as Documents and Desktop, potentially using tools such as `srm`, `gpg`, or a compiled payload, with ransom note creation as supporting context. For leaders, the decision value is not attribution; it is whether the organization can quickly see, contain, and recover from destructive encryption activity on macOS endpoints before user productivity and evidence are lost.
Executive priority
Prioritize this as an operational resilience and incident response readiness question for macOS fleets. Executives should ask whether macOS endpoint telemetry, backup/recovery processes, and SOC playbooks can distinguish unusual mass file modification/encryption and ransom note creation from legitimate administrative or user activity. This also supports audit and compliance evidence around endpoint monitoring, recovery readiness, and response procedures for disruptive malware scenarios.
Technical view
SOC and detection teams should validate visibility on macOS file activity in user directories, process execution involving `srm`, `gpg`, and unknown or newly introduced compiled binaries, and creation of ransom-note-like files across multiple directories. Because ATT&CK provides no official detection logic and no relationships for this analytic, teams should treat it as a behavioral validation target rather than a complete rule. Detection should correlate process execution, file write/rename/delete patterns, and repeated note creation in user paths.
Likely telemetry
- macOS endpoint process execution telemetry
- File creation, modification, rename, and deletion events in user directories such as Documents and Desktop
- Command-line arguments for processes such as `srm` and `gpg`, where available
- Metadata for unknown or newly observed compiled executables on macOS endpoints
- Events showing creation of similarly named files across multiple directories, consistent with ransom note placement
Detection direction
- Validate whether macOS telemetry captures both process execution and file-system activity in user-controlled directories.
- Correlate high-volume or rapid file changes with suspicious process context instead of relying on a single command or filename.
- Review legitimate uses of `gpg`, secure deletion tools, developer utilities, backup tools, and administrative scripts to reduce false positives.
- Look for repeated ransom-note-like file creation across directories as supporting evidence, not as a standalone conclusion.
- Test whether detection coverage includes compiled payloads that do not rely on `srm` or `gpg`, since the description includes compiled ransomware payloads.
Mitigation priorities
- Ensure recoverable, tested backups for macOS user data and define restoration decision points for ransomware scenarios.
- Harden macOS endpoint controls to limit unauthorized execution where appropriate, especially for unknown compiled binaries.
- Restrict and monitor use of destructive file utilities and encryption tools when they are not required for business workflows.
- Maintain endpoint detection coverage for macOS file and process behavior, not only signature-based malware alerts.
- Prepare IR playbooks for rapid isolation of affected macOS systems, evidence preservation, and user communication during suspected encryption events.
Analyst notes and limits
This object is a detection analytic, not a technique record. It applies to macOS and describes ransomware-style encryption of user files with possible use of `srm`, `gpg`, or compiled payloads, plus ransom note creation. No ATT&CK tactics, relationships, or official detection text were supplied, so local engineering must define the actual detection logic and thresholds.
The supplied ATT&CK fields do not provide detection pseudocode, data sources, tactic mapping, adversary relationships, impact scope, or evidence of active exploitation. Any production detection should be validated against local macOS baselines, approved tool usage, and available endpoint telemetry.
Analytic 0604
Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using `srm`, `gpg`, or compiled payloads. Often correlated with ransom note creation in multiple directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 73bc7ac7b673… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0604Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.