The Inadequacy of Entropy-Based Ransomware Detection

  • Timothy McIntoshEmail author
  • Julian Jang-Jaccard
  • Paul Watters
  • Teo Susnjak
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1143)


Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.


Ransomware Entropy Encryption File integrity 



This work was made possible by the support of a grant (UOCX1720) from the Ministry of Business, Innovation and Employment of New Zealand, September 2017 Catalyst: Strategic Investment Round.


  1. 1.
    Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor & connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84. IEEE (2015)Google Scholar
  2. 2.
    Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware file system. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)Google Scholar
  3. 3.
    Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digit. Invest. 6, S2–S11 (2009)CrossRefGoogle Scholar
  4. 4.
    Genç, Z.A., Lenzini, G., Ryan, P.Y.: Security analysis of key acquiring strategies used by cryptographic ransomware. In: Proceedings of the Central European Cybersecurity Conference 2018, p. 7. ACM (2018)Google Scholar
  5. 5.
    Gómez-Hernández, J., Álvarez-González, L., García-Teodoro, P.: R-locker: Thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)CrossRefGoogle Scholar
  6. 6.
    Held, M., Waldvogel, M.: Fighting ransomware with guided undo. In: Proceedings of the 11th Norwegian Information Security Conference (2018)Google Scholar
  7. 7.
    Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: Frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. PP, 1 (2017)Google Scholar
  8. 8.
    Josefsson, S.: The base16, base32, and base64 data encodings (2006)Google Scholar
  9. 9.
    Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). Scholar
  10. 10.
    Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware (keynote). In: 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 1. IEEE (2017)Google Scholar
  11. 11.
    Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)Google Scholar
  12. 12.
    Li, W.J., Wang, K., Stolfo, S.J., Herzog, B.: Fileprints: identifying file types by n-gram analysis. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 64–71. IEEE (2005)Google Scholar
  13. 13.
    Mbol, F., Robert, J.-M., Sadighian, A.: An efficient approach to detect torrentlocker ransomware in computer systems. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 532–541. Springer, Cham (2016). Scholar
  14. 14.
    McDaniel, M., Heydari, M.H.: Content based file type detection algorithms. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, p. 10. IEEE (2003)Google Scholar
  15. 15.
    McIntosh, T.R., Jang-Jaccard, J., Watters, P.A.: Large scale behavioral analysis of ransomware attacks. In: Cheng, L., Leung, A.C.S., Ozawa, S. (eds.) ICONIP 2018. LNCS, vol. 11306, pp. 217–229. Springer, Cham (2018). Scholar
  16. 16.
    Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 114–136. Springer, Cham (2018). Scholar
  17. 17.
    Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)Google Scholar
  18. 18.
    Verma, M., Kumarguru, P., Deb, S.B., Gupta, A.: Analysing indicator of compromises for ransomware: Leveraging IOCs with machine learning techniques. In: 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 154–159. IEEE (2018)Google Scholar
  19. 19.
    Weston, P., Wolthusen, S.D.: Forensic entropy analysis of microsoft windows storage volumes. SAIEE Afr. Res. J. 105(2), 63–70 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Timothy McIntosh
    • 1
    Email author
  • Julian Jang-Jaccard
    • 1
  • Paul Watters
    • 2
  • Teo Susnjak
    • 1
  1. 1.Massey UniversityAucklandNew Zealand
  2. 2.La Trobe UniversityBundooraAustralia

Personalised recommendations