Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Radare2: rahash2 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Radare2: rahash2

Radare2 is an open-source reverse-engineering framework.

Some time ago I wrote about recovering ransomed pictures. By calculating the entropy of the ransomed files with my byte-stats tool, I could see that the file was not completely encrypted.

rahash2 is one of the tools in the Radare2 framework. As it names implies, it calculates (cryptographic) hashes, but it is quite versatile. For example, it will also calculate entropy:

And like my tool, it can also split the file in blocks and calculate the entropy for each block. You do this with option -b blocksize, and it will also produce a nice ASCII-art graph:

If you have interesting tips for rahash2 (or other Radare2 tools), please post a comment.

Didier Stevens
Microsoft MVP Consumer Security


649 Posts
ISC Handler
Oct 10th 2016
First I applaud you on your efforts for the counter measure, and while I do myself considering activities like this a logic puzzle, so even if it was for a mundane issue (this one isn't) it is interesting none the less. I must say that things like ransomware are so counterproductive for society as a whole, it just wastes resources that could be spent on better things, and time that could be so much more valuable in another field or area of computer science. Anyhow keep up the good work.

Sign Up for Free or Log In to start participating in the conversation!