T1679: Selective Exclusion
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.[1]
Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice.
Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals.
Analyst context for executives and security teams
Selective Exclusion is the choice by malware, including ransomware or destructive payloads, to avoid encrypting or tampering with specific Windows files, folders, extensions, or system components. For leaders, the significance is that a system may appear partly functional while damage is still underway, which can delay user reporting, SOC escalation, and incident containment decisions.
Executive priority
Treat this as a resilience and incident-response readiness issue, not just a malware detail. Excluding files such as executables, links, libraries, or stability-critical components can help an attack continue long enough to display a ransom note, avoid immediate crashes, or reduce obvious alarms. Executives should ask whether endpoint telemetry, ransomware playbooks, and recovery testing can identify abnormal large-scale file activity even when the host remains operational.
Technical view
ATT&CK lists this as a Windows stealth technique with no official detection text, but it is linked to detection strategy DET0897 and to multiple malware/software entries including Medusa Ransomware, InvisibleFerret, Embargo, SameCoin, DynoWiper, and LazyWiper. SOC and IR teams should validate whether detection logic looks for selective patterns in file modification, overwrite, deletion, or encryption activity, especially cases where high-volume file operations consistently skip certain extensions, directories, or system components.
Likely telemetry
- Endpoint file creation, modification, overwrite, deletion, and rename events on Windows systems
- Process execution and command-line telemetry associated with bulk file operations
- EDR or anti-malware behavioral telemetry showing ransomware-like or destructive file access patterns
- File extension, path, and directory-level statistics during suspected encryption or tampering events
- Incident artifacts such as ransom notes, payload logs, scripts, or observed exclusion lists when available
Detection direction
- Validate coverage for abnormal high-volume file operations that spare specific extensions such as .dll, .exe, or .lnk, as noted in the ATT&CK description.
- Tune detections to identify exclusion patterns rather than only total file encryption or deletion volume; selective behavior may leave the system usable and reduce obvious breakage.
- Use relationship context from DET0897 as the ATT&CK-linked detection strategy reference, while confirming local implementation because the technique itself provides no official detection text.
- Reduce false positives by comparing against legitimate backup, indexing, security scanning, and administrative maintenance processes that may also apply path or extension exclusions.
Mitigation priorities
- Prioritize rapid containment and tested recovery for Windows endpoints where bulk file tampering is observed, even if the host remains responsive.
- Ensure endpoint controls and monitoring are configured to capture file operation behavior at sufficient fidelity for ransomware and wiper investigations.
- Review incident response runbooks so analysts do not treat partial system functionality as evidence that destructive activity has stopped.
- Maintain recovery evidence and backup validation for critical files and services, since selective exclusion may be used to preserve enough system function for adversary objectives.
Analyst notes and limits
The supplied ATT&CK object frames this as a stealth behavior used during ransomware or malicious payload execution. Relationship context broadens relevance across ransomware, wiper, and malware families, but it should not be read as proof of exposure in any specific environment. Local telemetry is required to determine whether selective exclusion can be detected or reconstructed after an incident.
Official ATT&CK detection guidance is not provided for T1679. The object is limited to the Windows platform, and any extension, directory, or component exclusions should be validated from observed telemetry or malware artifacts rather than assumed universally.
Selective Exclusion
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.[1]
Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice.
Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1055: VOID MANTICORE
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]
S9039: LazyWiper
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.[1]
S1244: Medusa Ransomware
Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.[1][2][3][4]
S9038: DynoWiper
DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.[1][2]
S1245: InvisibleFerret
InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3] InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1] InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.[4][2][3][5] InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.[6][1][2][3][5]
S1247: Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.[1][2] Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.[1][2] Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.[2] Embargo is also reportedly a Ransomware as a Service (RaaS).[2]
S9030: SameCoin
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | a500382be0c3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024
Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.
Open source URL -
[2]
mitre-attack T1679Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.