a bit off topic, how to find encrytped files (ransom attack)

Uwe Brauer oub at mat.ucm.es
Fri Aug 5 17:45:53 CEST 2022

>>> "RJHvG" == Robert J Hansen via Gnupg-users <gnupg-users at gnupg.org> writes:

>> 3. I could use the ent command which measure the entropy, high
>> entropy is an indication of encryption (but jpg have also high
>> entropy). However I should then study the distribution of each
>> letter to be sure.

> A JPEG *body* has high entropy.  The JPEG *header* has very low
> entropy.   That's a relatively good way to spot container files: you
> look for a low-entropy header followed by high-entropy data.  Zip
> files, tar.bz2 files, JPEG files, MPEG, the rest, they're all
> detectable this way.

> However, the output of a straight-up block cipher operating in any
> modern mode (no ECB!) is going to be totally indistinguishable from a
> random number generator for any reasonably-sized file.

I see this can can very sophisticated very quickly, but 

    1. just for the first very rough analysis what is a convenient command to get a list of files that have high entropy?

For example 

find . -iname '*.*' -follow -print -exec ent {} \;

Displays to much information that is hard to follow, so I should filter it somehow like

ent test.tex.gpg

| Entropy = 7.997062 bits per byte.                                               | that line could be candidate |
| Optimum compression would reduce the size of this 64224 byte file by 0  percent | another candidate            |
| Monte Carlo value for Pi is 3.142376682 (error 0.02 percent)                    | last candidate               |

I also run 

Ent test.tex

| Entropy = 5.133812 bits per byte.                                                | candidate |
| Optimum compression would reduce the size of this 214555 byte file by 35 percent | candidate |
| Monte Carlo value for Pi is 3.999888140 (error 27.32 percent)                    | candidate |

So I am not sure what is the best line, but the question boils down to this, anybody know enough sed or awk or whatsoever to 
tell me how ot filter the ent output?


Uwe Brauer 

I strongly condemn Putin's war of aggression against the Ukraine.
I support to deliver weapons to Ukraine's military. 
I support the ban of Russia from SWIFT.
I support the EU membership of the Ukraine. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5673 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220805/bba51211/attachment.bin>

More information about the Gnupg-users mailing list