Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0678: Detection of Data Encrypted for Impact

DET0678 is a mobile ATT&CK detection strategy for identifying behavior associated with Android data being encrypted for impact. For leaders, the significan...

MobileDET0678Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0678 is a mobile ATT&CK detection strategy for identifying behavior associated with Android data being encrypted for impact. For leaders, the significance is operational: if a mobile device contains business data, credentials, communications, or field-operation records, encryption that blocks user access can create disruption even without broader enterprise compromise. Because MITRE provides no official detection text for this strategy, organizations should treat it as a validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this as a mobile resilience and incident-readiness issue where Android devices support business operations, executive communications, regulated workflows, or field activity. Leaders should ask whether mobile endpoint visibility, backup/recovery expectations, user reporting paths, and incident escalation procedures are sufficient to handle suspected mobile ransomware or destructive encryption events. This object also highlights an audit and governance question: can the organization show evidence that mobile impact scenarios are monitored, triaged, and recoverable?

Technical view

This detection strategy detects ATT&CK technique T1471, Data Encrypted for Impact, in the mobile domain. The related technique is scoped to Android and describes adversaries encrypting files stored on a mobile device to prevent user access, potentially for ransom or permanent denial of access. Because the ATT&CK object has no official detection logic, SOC and IR teams should validate locally available Android telemetry and define what observable evidence would distinguish malicious bulk encryption or access denial from normal app behavior, device policy actions, user-initiated encryption, or storage errors.

Likely telemetry

  • Android device management or enterprise mobility management alerts and inventory state
  • Mobile endpoint/security agent events, where deployed
  • File access, file modification, or abnormal volume of file-change indicators available from managed mobile tooling
  • Application installation, permission, and behavioral telemetry for apps interacting with user files
  • User reports of inaccessible files, ransom messages, unexpected lockout, or sudden data loss

Detection direction

  • Confirm whether Android mobile telemetry is collected centrally and retained long enough to investigate suspected encryption-for-impact events.
  • Develop triage logic around sudden user-file inaccessibility, unusual file modification patterns, suspicious app behavior, or ransom-style user-visible artifacts, using only telemetry available in the environment.
  • Tune for false positives from legitimate encryption, enterprise device policy enforcement, backup/sync conflicts, app updates, storage corruption, or user-initiated file protection.
  • Correlate device symptoms with recent app installation, permission changes, device compliance changes, and user reports rather than relying on a single indicator.
  • Validate escalation paths from help desk or mobile support into SOC/IR, since user-reported loss of access may be the first practical signal.

Mitigation priorities

  • Ensure Android devices that handle business data are managed and inventoried so responders can identify affected users and devices quickly.
  • Maintain recoverability through approved backup, sync, or data preservation processes appropriate to mobile business use cases.
  • Restrict unmanaged or high-risk applications and review permissions that allow broad access to user files where mobile management controls support it.
  • Define incident playbooks for suspected mobile data encryption, including isolation, preservation, user communication, and recovery decisions.
  • Use tabletop or validation exercises to confirm that SOC, mobile administration, help desk, and incident response teams can coordinate on Android impact events.
Analyst notes and limits

The most important decision point is not the existence of DET0678 itself, but whether the organization can observe and respond to Android data becoming inaccessible at scale or on high-value devices. This should be mapped into mobile security operations, incident response, and business continuity planning for environments where mobile devices carry operationally important data.

MITRE supplies no official description, detection text, tactics, or platforms on the detection strategy object itself. The Android platform and behavior details come from the relationship to T1471, Data Encrypted for Impact. Local device management, mobile telemetry, backup architecture, and business use of Android devices are required to determine practical coverage.

Official MITRE ATT&CK definition

Detection of Data Encrypted for Impact

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1471 Data Encrypted for Impact This object detects Data Encrypted for Impact.
Relationship explorer

All related ATT&CK context

detects · Technique T1471: Data Encrypted for Impact Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
affe3ad655b587f8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle affe3ad655b5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0678
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use