a bit off topic, how to find encrytped files (ransom attack)

Karl Auer kauer at biplane.com.au
Fri Aug 5 01:45:38 CEST 2022

On Thu, 2022-08-04 at 18:58 +0200, Uwe Brauer via Gnupg-users wrote:
> How can I find say encrypted files in my home directory?

What an interesting exercise! Got me thinking. I'm a total crypto
ignoramus, so take all this with a grain of salt...

I don't think there is any truly reliable way, but a combination of ent
and a relevant expectation might work. For example, if you run ent on a
.txt file, you do not expect to see high entropy, so you would throw
that file up as suspicious. If you run file on a .jpg file, you expect
to see it identified as a JPEG file, so if it is not, you throw it up
as suspicious. Then you manually check files that your system has
identified as suspicious.

Another way to approach it would be to take hashes of all your files
and store the hashes securely (read-only!). You can then compare a
current hash with the known hash, and if the hash has changed, the file
has changed. This is not that good for frequently changing files, but
frequently changing files that are suddenly encrypted are probably
going to be very obvious.

And a third method would be a "canary" or two. Put some tasty-looking
files in your home directory, and regularly check them for changes. If
they ever unexpectedly change, you know to take action.

Anyway - if you come op with a good method, let us know!

Regards, K.

PS: I remember reading a while ago someone writing that as a
technological society advances, its communications become more and more
like random noise, because they will tend to be encrypted and
compressed. The writer was saying this might be one reason we haven't
found life out there - because we can't tell their transmissions apart
from random noise :-)

Karl Auer (kauer at biplane.com.au)

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

More information about the Gnupg-users mailing list