Re: a bit off topic, how to find encrytped files (ransom attack)

Thu, 04 Aug 2022 12:45:20 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 4 Aug 2022, Jan Eden via Gnupg-users wrote:


Hi,

I just check for a list of ransomware filename patterns (e.g.
*.cryptotorlocker*).

Best regards,
Jan

On 2022-08-04 18:58, Uwe Brauer via Gnupg-users wrote:



Hi

I apologize for this message that can be a bit off topic.
(I am on Ubuntu 16.04)

How can I find say encrypted files in my home directory? The idea is to
use some magic command together with the find command.
I know

    1. The file command will return for example for a gpg encrypted file
       file .authinfo.gpg
       .authinfo.gpg: PGP RSA encrypted

    2. However for X509 file I obtain
       file test.p12
       file.p12: data

    3. I could use the ent command which measure the entropy, high
       entropy is an indication of encryption (but jpg have also high
       entropy). However I should then study the distribution of each
       letter to be sure.

So is there any other way to run find and some other script to find
suspicious  files? Google is not really helpful

Regards

Uwe Brauer


Hi Uwe,
my first thought would be to look for compressability (or entropy, as you suggested) of files. Encrypted files should look like good randomness, thus not compressable. I would then eliminate the false positives (which are most likely compressed) by checking their integrity "by protocol" - i.e. "convert this jpeg to an bmp -> is the bmp (much) bigger than the jpeg?" 

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmLsF/8ACgkQCu7JB1Xa
e1pojA//RuWb76drpfvfQbcXnqkLhHRwMNPNbdwfZKmxJ4MJTBA+LX9t2is7+mTw
EY7AwyRIAUjV26eOztarEOC2GngKPoIb39VqEK0ilGTT08es41hbSqueIcP5wrH6
3ALUcBcgcT5Rh3pXQGCRYIxPSYmyVx+KUv2525DXePdPizJFU20KGjc3LXatYz9k
KIVaAJnu4+9PcPjFueP0SxrgYOiFkAGCYDqx/NBoNbhzs+5/4s9dIGytJ2CgwZyr
DB3CnjCejvJ25vD1LtiHOBmy5GCYuJAoxlimf5bRTalUF/bsZRcW2UYWp04jIz7S
HI6fl5ASpwX2jtbZgkwgaqKhVfEU4xw3SrTAx89krZDaKM1MbQD8vE1hAmiBuzeb
VygGG1g/s2FZ9kmgHv8TmTOoc9MzDR/aojHcpc4EgcQkRIhRM9GdNYtnUpw8cr0L
E3itanqf+8ZH92BCjNmm+N9tB9VBmPjvXuhWIO6yQF4jOjFUyNbm5Mi3/LvJObys
46vXJPO5o1a//MxjKAS4ly9013PsXsoSpVmCrkPK8qwdy2cxaEAM+jMEDGrot2Um
kSx0e19BdUgXpvOBPVf0Js+UvN3f6mahCLimyhhBoXgd/ievrWOCTI68GHV+izs6
2dL00klyCzQZl0mveNNhfPJDlCEKh0t5CTpMD+mCd0TnvnKDNxM=
=8XRQ
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to