a bit off topic, how to find encrytped files (ransom attack)

Erich Eckner gnupg at eckner.net
Thu Aug 4 21:03:25 CEST 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 4 Aug 2022, Jan Eden via Gnupg-users wrote:

> Hi,
>
> I just check for a list of ransomware filename patterns (e.g.
> *.cryptotorlocker*).
>
> Best regards,
> Jan
>
> On 2022-08-04 18:58, Uwe Brauer via Gnupg-users wrote:
>>
>>
>> Hi
>>
>> I apologize for this message that can be a bit off topic.
>> (I am on Ubuntu 16.04)
>>
>> How can I find say encrypted files in my home directory? The idea is to
>> use some magic command together with the find command.
>> I know
>>
>>     1. The file command will return for example for a gpg encrypted file
>>        file .authinfo.gpg
>>        .authinfo.gpg: PGP RSA encrypted
>>
>>     2. However for X509 file I obtain
>>        file test.p12
>>        file.p12: data
>>
>>     3. I could use the ent command which measure the entropy, high
>>        entropy is an indication of encryption (but jpg have also high
>>        entropy). However I should then study the distribution of each
>>        letter to be sure.
>>
>> So is there any other way to run find and some other script to find
>> suspicious  files? Google is not really helpful
>>
>> Regards
>>
>> Uwe Brauer

Hi Uwe,

my first thought would be to look for compressability (or entropy, as you 
suggested) of files. Encrypted files should look like good randomness, 
thus not compressable. I would then eliminate the false positives (which 
are most likely compressed) by checking their integrity "by protocol" - 
i.e. "convert this jpeg to an bmp -> is the bmp (much) bigger than the 
jpeg?"

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmLsF/8ACgkQCu7JB1Xa
e1pojA//RuWb76drpfvfQbcXnqkLhHRwMNPNbdwfZKmxJ4MJTBA+LX9t2is7+mTw
EY7AwyRIAUjV26eOztarEOC2GngKPoIb39VqEK0ilGTT08es41hbSqueIcP5wrH6
3ALUcBcgcT5Rh3pXQGCRYIxPSYmyVx+KUv2525DXePdPizJFU20KGjc3LXatYz9k
KIVaAJnu4+9PcPjFueP0SxrgYOiFkAGCYDqx/NBoNbhzs+5/4s9dIGytJ2CgwZyr
DB3CnjCejvJ25vD1LtiHOBmy5GCYuJAoxlimf5bRTalUF/bsZRcW2UYWp04jIz7S
HI6fl5ASpwX2jtbZgkwgaqKhVfEU4xw3SrTAx89krZDaKM1MbQD8vE1hAmiBuzeb
VygGG1g/s2FZ9kmgHv8TmTOoc9MzDR/aojHcpc4EgcQkRIhRM9GdNYtnUpw8cr0L
E3itanqf+8ZH92BCjNmm+N9tB9VBmPjvXuhWIO6yQF4jOjFUyNbm5Mi3/LvJObys
46vXJPO5o1a//MxjKAS4ly9013PsXsoSpVmCrkPK8qwdy2cxaEAM+jMEDGrot2Um
kSx0e19BdUgXpvOBPVf0Js+UvN3f6mahCLimyhhBoXgd/ievrWOCTI68GHV+izs6
2dL00klyCzQZl0mveNNhfPJDlCEKh0t5CTpMD+mCd0TnvnKDNxM=
=8XRQ
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list