The inadequacy of entropy-based ransomware detection

Timothy McIntosh*, Julian Jang-Jaccard, Paul Watters, Teo Susnjak

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

48 Citations (Scopus)


Many state-of-the-art anti-ransomware implementations monitoring file system activities choose to monitor file entropy-based changes to determine whether the changes may have been committed by ransomware, or to distinguish between compression and encryption operations. However, such detections can be victims of spoofing attacks, when attackers manipulate the entropy values in the expected range during the attacks. This paper explored the limitations of entropy-based ransomware detection on several different file types. We demonstrated how to use Base64-Encoding and Distributed Non-Selective Partial Encryption to manipulate entropy values and to bypass current entropy-based detection mechanisms. By exploiting this vulnerability, attackers can avoid entropy-based detection or degrade detection performance. We recommended that the practice of relying on file entropy change thresholds to detect ransomware encryption should be deprecated.

Original languageEnglish
Title of host publicationNeural Information Processing
Subtitle of host publication26th International Conference, ICONIP 2019, Proceedings
EditorsTom Gedeon, Kok Wai Wong, Minho Lee
Place of PublicationCham, Switzerland
PublisherSpringer, Springer Nature
Number of pages9
ISBN (Electronic)9783030368029
ISBN (Print)9783030368012
Publication statusPublished - 2019
Externally publishedYes
Event26th International Conference on Neural Information Processing, ICONIP 2019 - Sydney, Australia
Duration: 12 Dec 201915 Dec 2019

Publication series

NameCommunications in Computer and Information Science
Volume1143 CCIS
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937


Conference26th International Conference on Neural Information Processing, ICONIP 2019


  • Encryption
  • Entropy
  • File integrity
  • Ransomware


Dive into the research topics of 'The inadequacy of entropy-based ransomware detection'. Together they form a unique fingerprint.

Cite this