{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:27:17Z","timestamp":1774448837862,"version":"3.50.1"},"reference-count":22,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2022,2,4]],"date-time":"2022-02-04T00:00:00Z","timestamp":1643932800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea","doi-asserted-by":"publisher","award":["2021R1F1A1050542"],"award-info":[{"award-number":["2021R1F1A1050542"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Ransomware consists of malicious codes that restrict users from accessing their own files while demanding a ransom payment. Since the advent of ransomware, new and variant ransomwares have caused critical damage around the world, thus prompting the study of detection and prevention technologies against ransomware. Ransomware encrypts files, and encrypted files have a characteristic of increasing entropy. Due to this characteristic, a defense technology has emerged for detecting ransomware-infected files by measuring the entropy of clean and encrypted files based on a derived entropy threshold. Accordingly, attackers have applied a method in which entropy does not increase even if the files are encrypted, such that the ransomware-infected files cannot be detected through changes in entropy. Therefore, if the attacker applies a base64 encoding algorithm to the encrypted files, files infected by ransomware will have a low entropy value. This can eventually neutralize the technology for detecting files infected from ransomware based on entropy measurement. Therefore, in this paper, we propose a method to neutralize ransomware detection technologies using a more sophisticated entropy measurement method by applying various encoding algorithms including base64 and various file formats. To this end, we analyze the limitations and problems of the existing entropy measurement-based ransomware detection technologies using the encoding algorithm, and we propose a more effective neutralization method of ransomware detection technologies based on the analysis results.<\/jats:p>","DOI":"10.3390\/e24020239","type":"journal-article","created":{"date-parts":[[2022,2,4]],"date-time":"2022-02-04T11:35:17Z","timestamp":1643974517000},"page":"239","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":23,"title":["A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms"],"prefix":"10.3390","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1492-1241","authenticated-orcid":false,"given":"Jaehyuk","family":"Lee","sequence":"first","affiliation":[{"name":"School of Computer Software, Daegu Catholic University, Gyeongsan 38430, Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3551-6130","authenticated-orcid":false,"given":"Kyungroul","family":"Lee","sequence":"additional","affiliation":[{"name":"School of Computer Software, Daegu Catholic University, Gyeongsan 38430, Korea"}]}],"member":"1968","published-online":{"date-parts":[[2022,2,4]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1361-3723(16)30036-7","article-title":"Ransomware: To pay or not to pay?","volume":"4","author":"Everett","year":"2016","journal-title":"Comput. Fraud Secur."},{"key":"ref_2","unstructured":"(2021, December 20). KISA, Ransomware\u2019s Latest Trend Analysis and Implications. DIGITAL & SECURITY POLICY, KISA Insight, Volume 2. Available online: https:\/\/www.kisa.or.kr\/public\/library\/insight_View.jsp?mode=view&p_No=291&b_No=291&d_No=4&cPage=&ST=TC&SV=."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"353","DOI":"10.1016\/j.compeleceng.2017.10.012","article-title":"Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics","volume":"66","author":"Cabaj","year":"2018","journal-title":"Comput. Electr. Eng."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Paik, J.-Y., Choi, J.-H., Jin, R., Wang, J., and Cho, E.-S. (2018, January 15). A Storage-Level Detection Mechanism against Crypto-Ransomware. Proceedings of the Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3278491"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1286","DOI":"10.1109\/TIFS.2017.2787905","article-title":"Uncovering the face of android ransomware: Characterization and real-time detection","volume":"13","author":"Chen","year":"2018","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1016\/j.compeleceng.2019.03.012","article-title":"Ransomware detection and mitigation using software-defined networking: The case of WannaCry","volume":"76","author":"Akbanov","year":"2019","journal-title":"Comput. Electr. Eng."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"203","DOI":"10.4236\/wjet.2015.33C030","article-title":"Design of Quantification Model for Ransom Ware Prevent","volume":"3","author":"Kim","year":"2015","journal-title":"WJET"},{"key":"ref_8","first-page":"2946735","article-title":"The effective ransomware prevention technique using process monitoring on android platform","volume":"2016","author":"Song","year":"2016","journal-title":"Mob. Inf. Syst."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1109\/MSP.2007.48","article-title":"Using entropy analysis to find encrypted and packed malware","volume":"5","author":"Lyda","year":"2007","journal-title":"IEEE Secur. Priv."},{"key":"ref_10","unstructured":"Timothy, M., Julian, J., Paul, W., and Teo, S. (2019). The inadequacy of entropy-based ransomware detection. Communications in Computer and Information Science, Springer."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1109\/18.61115","article-title":"Divergence measures based on the Shannon entropy","volume":"37","author":"Lin","year":"1991","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1109\/MC.2014.47","article-title":"The importance of entropy to information security","volume":"47","author":"Vassilev","year":"2014","journal-title":"Computer"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Josefsson, S. (2006). The Base16, Base32, and Base64 Data Encodings, IETF. RFC 4648.","DOI":"10.17487\/rfc4648"},{"key":"ref_14","unstructured":"Cooper, I. (2009). MPI-Style Web Services: An Investigation into the Potential of Using Web Services for MPI-Style Applications. [Ph.D. Thesis, Cardiff University]."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Costello, A. (2003). Punycode: A Bootstring Encoding of Unicode for Internationalized Domain Names in Applications (IDNA), IETF. IETF Request for Comments: 3492.","DOI":"10.17487\/rfc3492"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Adamov, A., Carlsson, A., and Surmacz, T. (2019, January 13\u201316). An Analysis of LockerGoga Ransomware. Proceedings of the 2019 IEEE East-West Design & Test Symposium (EWDTS), Batumi, GA, USA.","DOI":"10.1109\/EWDTS.2019.8884472"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Boura, C., and Canteaut, A. (2018). On the Boomerang Uniformity of Cryptographic Sboxes. ToSC, 290\u2013310.","DOI":"10.46586\/tosc.v2018.i3.290-310"},{"key":"ref_18","first-page":"279","article-title":"Accuracy Enhancement of Determining File Encryption Status through Divided Shannon Entropy","volume":"25","author":"Kwak","year":"2018","journal-title":"KIPS"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"102377","DOI":"10.1016\/j.cose.2021.102377","article-title":"Differential Area Analysis for Ransomware Attack Detection within Mixed File Datasets","volume":"108","author":"Davies","year":"2021","journal-title":"J. Comput. Secur."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"110205","DOI":"10.1109\/ACCESS.2019.2931136","article-title":"Machine learning based file entropy analysis for ransomware detection in backup systems","volume":"7","author":"Lee","year":"2019","journal-title":"IEEE Access"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"63","DOI":"10.23919\/SAIEE.2014.8531919","article-title":"Forensic entropy analysis of microsoft windows storage volumes","volume":"105","author":"Weston","year":"2014","journal-title":"J. SAIEE Afr. Res. J."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"S2","DOI":"10.1016\/j.diin.2009.06.016","article-title":"Bringing science to digital forensics with standardized forensic corpora","volume":"6","author":"Garfinkel","year":"2009","journal-title":"Digit. Investig."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/24\/2\/239\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:13:55Z","timestamp":1760134435000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/24\/2\/239"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,4]]},"references-count":22,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2022,2]]}},"alternative-id":["e24020239"],"URL":"https:\/\/doi.org\/10.3390\/e24020239","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,4]]}}}