Impact is the phase where adversaries intentionally disrupt, degrade, or destroy systems and data to achieve their objectives — whether that’s financial gain (ransom), sabotage, or a show of force. Unlike earlier stages that focus on access and stealth, Impact is loud, visible, and often costly. You might be wondering why the jump from TA0011 to TA0040, it's because the MITRE has recently added new Tactics TA0040, TA0042 & TA0043. TA0040 is the post-attack phase, while TA0042 & TA0043 are pre-attack phases, which we will discuss next.

🔎 Types of Impact (what attackers do)

• Data encryption / ransomware Attackers encrypt files and demand payment for the key. This both denies access and pressures victims to pay.

• Data destruction / wiping Permanent deletion or corruption of data to render systems unusable (wipers).

• Service stoppage / denial of service Taking critical services offline — can be targeted (stopping a domain controller) or broad (DDoS).

• Data manipulation / sabotage Altering records, logs, or data to cause wrong outcomes (financial loss, safety failures, regulatory problems).

• Defacement / reputational attacks Replacing website or user-facing content to embarrass or signal control.

• Resource hijacking Using compromised hosts for cryptomining or other resource drain that harms performance and availability.

• Operational technology (OT) sabotage / safety impact Tampering with industrial systems, controllers, or safety processes that can cause physical damage or risk to human safety.
  

🧾 Real-world examples (short & instructive)

• WannaCry (2017) — widespread ransomware that encrypted files across organizations worldwide and disrupted healthcare services.

• NotPetya (2017) — masqueraded as ransomware but functioned as a destructive wiper, causing major business interruptions and permanent data loss.

• Colonial Pipeline (2021) — ransomware incident that led to fuel-distribution disruptions and broad economic impact.

• Shamoon (multiple years) — destructive wiper targeting critical enterprise systems in the Middle East.

• TRITON / TRISIS (2017) — malware targeting industrial safety systems, demonstrating real-world risks to physical safety.
  

🛡️ Recommendations — reduce impact, shorten recovery

1. Harden for resilience (before an incident)

• Maintain regular, tested backups — keep copies offline or air-gapped and test restores frequently.

• Use immutable backups and protect backup credentials from being accessible to attackers.

• Apply least privilege across accounts and services to limit damage blast radius.

2. Network and architecture controls

• Segment networks (especially separate OT from IT and isolate backup systems).

• Implement strict egress filtering and limit external services that systems can reach.

• Use application allowlisting where feasible to reduce unauthorized execution.

3. Detection and containment

• Deploy EDR/XDR and central logging; monitor for signs of encryption, mass file changes, or unusual process behavior.

• Detect and alert on rapid file renames/compressions/archiving and mass deletions.

• Use integrity monitoring for critical files and configuration baselines.

4. Incident preparedness & playbooks

• Maintain an Incident Response (IR) plan that includes specific playbooks for ransomware, wipers, OT incidents, and extortion.

• Conduct tabletop exercises with IT, OT, legal, PR, and business owners to coordinate decisions (e.g., backups, containment, communications).

• Pre-authorize technical containment steps so defenders can act quickly.

5. Recovery & continuity

• Prioritize mission-critical systems in recovery plans and maintain clear RTO/RPO goals.

• Keep an offline inventory of software licenses, images, and build materials needed to rebuild systems.

• Consider redundant supply chains and alternative manual workarounds for essential business functions.

6. OT / safety-specific measures

• Isolate safety controllers and apply strict change control for OT systems.

• Monitor for anomalous commands to PLCs/ICS and test safety interlocks independently of networked systems.

7. Governance, legal & communications

• Prepare stakeholder & public communications templates for rapid, transparent messaging.

• Know your regulatory reporting obligations (data breach, operational impacts) beforehand.

• Engage legal counsel familiar with cyber incidents and consider cyber insurance as a part of risk strategy (review policies before incidents).
  

✅ Final thoughts

Impact is the most visible — and often most damaging — phase of an attack. The best defense is resilience: assume compromise is possible, invest in fast detection, segment and protect recovery assets, and practice your response so you can restore operations quickly and safely.