a bit off topic, how to find encrytped files (ransom attack)

Joel Rees joel.rees at gmail.com
Thu Aug 11 02:07:55 CEST 2022

This whole thread is a bit, well cause to ponder ..., and beef a little ...

On Fri, Aug 5, 2022 at 2:40 AM Uwe Brauer via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> Hi
> I apologize for this message that can be a bit off topic.
> (I am on Ubuntu 16.04)

(Running off to see how much longer that's going to be supported.)

> How can I find say encrypted files in my home directory?

You have encrypted files you aren't tracking? That's a good way to
lose data or whatever was in them.

> The idea is to
> use some magic command together with the find command.
> I know

Magic seems to me to be opposed to the purpose of encryption, but I
guess if that's what you want that's what you want.

>     1. The file command will return for example for a gpg encrypted file
>        file .authinfo.gpg
>        .authinfo.gpg: PGP RSA encrypted
>     2. However for X509 file I obtain
>        file test.p12
>        file.p12: data
>     3. I could use the ent command which measure the entropy, high
>        entropy is an indication of encryption (but jpg have also high
>        entropy). However I should then study the distribution of each
>        letter to be sure.

As has been pointed out, entropy is orthogonal to the question of encryption.

> So is there any other way to run find and some other script to find
> suspicious  files? Google is not really helpful

Suspicious files?

Oh. Okay, you or somebody you know has been sloppy and wants to recover.

As you should note from the responses so far, there is no magic solution.

Figure out what is important on the compromised system and work from there.

It used to be a lot simpler, and I could give you a list of steps to
go through, but these days you have to think about compromised BIOS
and compromised media and I/O controllers and such. And the system
with the symptoms is quite possibly not the only compromised system on
your network.

Which I guess may be why you are hoping for magic.

Still, powering the system down, looking for other compromised systems
on the network, removing the media and taking a raw image, deciding
what's important on the compromised media and what can just be thrown
away, etc.

Deciding what's important is an essential step, because you won't know
how to go looking for it if you don't know what you're looking for.

And everything else just has to be tossed -- physically discarded.

Unless you're willing to play craps, in which case, you might consider
paying the people who (hopefully) know where they hid stuff --
although I'd hope you would first consider contacting your local
police or whoever you trust to be able to help, and volunteer to
cooperate in using your data as a trap to catch the miscreants.

Joel Rees


More information about the Gnupg-users mailing list