a bit off topic, how to find encrytped files (ransom attack)

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 4 20:00:32 CEST 2022


>      3. I could use the ent command which measure the entropy, high
>         entropy is an indication of encryption (but jpg have also high
>         entropy). However I should then study the distribution of each
>         letter to be sure.

A JPEG *body* has high entropy.  The JPEG *header* has very low entropy. 
  That's a relatively good way to spot container files: you look for a 
low-entropy header followed by high-entropy data.  Zip files, tar.bz2 
files, JPEG files, MPEG, the rest, they're all detectable this way.

However, the output of a straight-up block cipher operating in any 
modern mode (no ECB!) is going to be totally indistinguishable from a 
random number generator for any reasonably-sized file.




More information about the Gnupg-users mailing list