Ransomware & Entropy

Published: 2015-10-18
Last Updated: 2015-10-19 07:25:46 UTC
by Didier Stevens (Version: 1)
7 comment(s)

Last time I helped out someone with ransomware over at the Bleeping Computer forums, I was able to recover the ransomed JPEG files.

A first look at the file with the file command did not help me:

file image.jpg.xxx\@yyy.zz
image.jpg.xxx@yyy.zz: data

Neither did a look at the header with a hex editor tell me much more.

But when I analyzed the file with one of my tools to calculate byte statistics (byte-stats.py), I noticed something:

The file has a high byte entropy: 7.815519, that's almost the maximum (8.0). So the file appears to be a set of random bytes, e.g. an encrypted file.

But my program not only calculates the entropy for the whole file (along with other properties), but it also splits the file in buckets (10KB size by default) and calculates the entropy (and other properties) for each bucket. The second entropy value produced by the analysis (5.156678) is the lowest entropy calculated for the buckets (85 in total for this file). And an entropy of 5 is much lower than the entropy of encrypted or compressed data. So somewhere in this file there is data that doesn't look very random.

A picture is worth a thousand words is the saying. bytes-stats.py can also output the entropy for each bucket (option -l), which enabled me to produce this graph:

Somewhere around position 0x5000, data doesn't look random. I took a look with my hex editor, and quickly recognized JPEG structures. What was missing were the first headers of a JPEG file. So I patched a file together with the header of a JPEG file followed by the data recovered from the ransomed file. And to my surprise, I had recovered the image.

I had no luck when I analyzed a ransomed .doc file from the same victim:

The entropy of this file looks uniformly high.

I often look at the entropy when I analyze files. Many of my analysis tools include entropy calculations. For example, pecheck.py provides the entropy of each section of a PE file, allowing me to quickly identify packed sections.

Didier Stevens
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.
blog.DidierStevens.com DidierStevensLabs.com

Keywords: ransomware
7 comment(s)

Security Awareness for Security Professionals

Published: 2015-10-18
Last Updated: 2015-10-18 19:47:58 UTC
by Russell Eubanks (Version: 1)
4 comment(s)
During Cyber Security Awareness Month (CSAM), we develop campaigns for our coworkers that attempt to encourage them to stop clicking on links and  reusing their passwords. These are good reminders for us as information security professionals even though we focus on these topics during the other 11 months of the year.
 
Is it possible that we too can improve our security awareness during this month? Can we as security professionals use this time to “sharpen our saw” and do things that can increase our awareness of our information security programs? 
 
One very non-technical event caused me consider this topic. My son found his old bicycle in the garage recently and wanted to ride it in the neighborhood. As he was getting up to speed, he suddenly and unexpectedly realized the handlebars had become disconnected. He had a firm grip on what he needed to successfully control the bike, but the handlebars were no longer effectively controlling his navigation.
 
With that example in mind, how aware are you of the effectiveness of your information security program? What systems do you have in place to let you know when your security posture changes? What reminders and automation do you need to create that will increase your awareness before blindly depend on your tools? By dedicating sometimes marginal effort you can develop near real time awareness capabilities that will confirm the effectiveness of your information security program.  
 
Below are just a few examples where increased security awareness would be very helpful to you as an information security professional.
  •  Ensure the running configurations on your network equipment have not changed
  •  Ensure you know within a few minutes when a new administrative account is added
  •  Ensure you know within a few hours if a device stops sending logs to your syslog server
 
What are you personally doing to make sure that you as a security professional are most aware of the things that matter the most? Use the comments field to share what works!
Keywords: security awareness
4 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives