a bit off topic, how to find encrytped files (ransom attack)
Robert J. Hansen
rjh at sixdemonbag.org
Thu Aug 4 20:00:32 CEST 2022
> 3. I could use the ent command which measure the entropy, high
> entropy is an indication of encryption (but jpg have also high
> entropy). However I should then study the distribution of each
> letter to be sure.
A JPEG *body* has high entropy. The JPEG *header* has very low entropy.
That's a relatively good way to spot container files: you look for a
low-entropy header followed by high-entropy data. Zip files, tar.bz2
files, JPEG files, MPEG, the rest, they're all detectable this way.
However, the output of a straight-up block cipher operating in any
modern mode (no ECB!) is going to be totally indistinguishable from a
random number generator for any reasonably-sized file.
More information about the Gnupg-users