An entropy test is a test that measures uniform distribution of data. This means that if we calculate the regular entropy of a collection of files and later the same collection encrypted, the entropy test would be higher. This test (alongside some others) is used to early ransomware detection.
A ransomware is basically a malware that encrypts a device or several devices in a network and creates a ransom note. Their operator usually perform extortion, additionally. Even though most of the ransomware works against Windows, there are some which works on Linux OS as well, therefore investigating about this methodology is important.
There's a tool that help us get the entropy of a file in Linux, called "ent". Therefore is we write:
ent myfile
The command should give us the Entropy. For example "2.30". If we perform the very same process against an encrypted version of the same file, it should be, maybe "5.20". This means the file is either encrypted or compressed, more likely to be encrypted (because it's way greater).
This can slightly change depending on the file type, but keeping it simple, we can translate this into a further testing automation. Let's test that. If you never used the terminal, read the following paragraph. If you know the basics of apt and git you can jump directly to "ENTROPY CHECK" section.
So, when using the linux terminal we can install programs and tools using a very simple line:
sudo apt install mytool
being "mytool" whatever you want to install. For the rest of the command: "sudo" it's used to use admin (called root) permissions, "apt" is the tool used to manage downloads and installations and finally "install" is the command to install. We are going to install something called "git", did you guessed how? yep:
sudo apt install git
It will ask for your password, because you are using "sudo" (remember? for permissions). "git" is used to handle code, meaning the language the computer uses to understand what do you want to do. In this case it will be used to "clone" my tool, so itś like downloading my tool from the internet. But instead of clicking a big button saying "download" you are doing it like a pro from a terminal. So, you will do:
git clone https://git.sr.ht/~alienagain/gigur
If everything goes great, you will have a copy of my tools in your system. Now in order to enter folders (as if you double clicked over them in a graphical environment) all you need to do is use a command called "cd".
cd gigur
This command above is telling the terminal to get into "gigur" named folder. If you wanted to go inside "Pictures" you would write "cd Pictures" and so on.
ENTROPY CHECK
If you haven't done it yet, clone my repository:
git clone https://git.sr.ht/~alienagain/gigur
cd gigur
Now, the test I'm talking about is on a folder called "entropy". So we will get into that one:
cd entropy
Now, if you use "ls" command, you will se there are two files called "check_entropy.sh" and "alert.sh". Those are scripts, meaning very small code to do specific tasks in Linux. Now, probably they won't be able to run properly without giving them the needed permission rights. For that there's a command called "chmod". So for example if you want to give user permissions to the scripts you can use:
chmod u+x *.sh
In this line, you are telling the computer to give permissions (chmod) to the current user (u) for executing (+x) all the files that ends in ".sh" (*.sh). You could have given the permissions specifically to check_entropy.sh using:
chmod u+x check_entropy.sh
Now, in order to check how this works, we are creating a "mock folder". For creating a folder we will use:
mkdir testfolder
and now we will fill the testfolder with mock files. First of all let's get into our new folder:
cd testfolder
And then let's create three files:
echo "hey this is a trial, how are you?" > file1
echo "this is still a trial, don't mind me!" > file2
echo "hey hey hey guess what, I'm a trial" > file3
In these three lines we reaped a process: we tell the system to say a sentence (echo "my sentence") and to save the output (>) into a file that is named whatever we want (file1, or file2 or whatever you like). If we use "ls" command (which is used to read the content of a folder) you will see file1, file2 and file3. Let's go back to the folder we were before. In Linux, the previous folder is always called ".." and the current folder is called "." so, if we want to get in to the previous folder we will do:
cd ..
Now, we are ready to use the script. Use:
./check_entropy.sh
The "./" is telling the system to execute the script. It will ask you to give it a name of a folder for the check, let's use the one we created. It will also ask for an output log name, choose whatever you want. I'm going to use my_example_log.
Write the folder path for the entropy check > testfolder
Write the name of the log > my_example_log
And now it will give you both the individual entropy value of each file inside the folder and a mean value of those (prob around 3.76509). If you repeat the process you will see how the log increases. There's an additional log called "values" with the raw mean values. If you want to check the file contents, use "cat" command.
cat values
This will show the raw entropy mean values after several tests. Now imagine in the values suddenly we have a value way greater than 3.76509, for example 6.92816. This would mean in our folder, some file(s) are drastically changing the mean, meaning they might be being encrypted. Let's encrypt manually one of the files. I did it like this:
gpg -c testfolder/file1
mv testfolder/file1.gpg testfolder/file1
Now you will see, the individual entropy of file1 went dramatically up, and the mean also increased. If you now use the other script (alert.sh):
./alert.sh
It will check the raw values and create a file called "alerts" with an encryption alert if the mean in the log changed drastically. So, if you didn't encrypted anything, the script won't show up anything. If you did, you can perform:
cat alerts
And see the encryption alert. By automating this very same process, you can create a simple entropy test based protection against ransomware.
text/gemini
This content has been proxied by September (ba2dc).