Re: a bit off topic, how to find encrytped files (ransom attack)

Fri, 05 Aug 2022 08:48:18 -0700 

>>> "RJHvG" == Robert J Hansen via Gnupg-users <gnupg-users@gnupg.org> writes:

>> 3. I could use the ent command which measure the entropy, high
>> entropy is an indication of encryption (but jpg have also high
>> entropy). However I should then study the distribution of each
>> letter to be sure.

> A JPEG *body* has high entropy.  The JPEG *header* has very low
> entropy.   That's a relatively good way to spot container files: you
> look for a low-entropy header followed by high-entropy data.  Zip
> files, tar.bz2 files, JPEG files, MPEG, the rest, they're all
> detectable this way.

> However, the output of a straight-up block cipher operating in any
> modern mode (no ECB!) is going to be totally indistinguishable from a
> random number generator for any reasonably-sized file.

I see this can can very sophisticated very quickly, but 

    1. just for the first very rough analysis what is a convenient command to 
get a list of files that have high entropy?

For example 

find . -iname '*.*' -follow -print -exec ent {} \;

Displays to much information that is hard to follow, so I should filter it 
somehow like

ent test.tex.gpg

| Entropy = 7.997062 bits per byte.                                             
  | that line could be candidate |
| Optimum compression would reduce the size of this 64224 byte file by 0  
percent | another candidate            |
| Monte Carlo value for Pi is 3.142376682 (error 0.02 percent)                  
  | last candidate               |

I also run 

Ent test.tex

| Entropy = 5.133812 bits per byte.                                             
   | candidate |
| Optimum compression would reduce the size of this 214555 byte file by 35 
percent | candidate |
| Monte Carlo value for Pi is 3.999888140 (error 27.32 percent)                 
   | candidate |


So I am not sure what is the best line, but the question boils down to this, 
anybody know enough sed or awk or whatsoever to 
tell me how ot filter the ent output?

thanks

Uwe Brauer 






-- 
I strongly condemn Putin's war of aggression against the Ukraine.
I support to deliver weapons to Ukraine's military. 
I support the ban of Russia from SWIFT.
I support the EU membership of the Ukraine.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to