Information Security News
This is the image you can recover from the ransomed file I published in my last diary entry.
We dont see much difference between the overal entropy and the entropy of the buckets, but thats because its a small file. Notice that only 3 buckets were used. The file is only 36KB, so let" />
The smallest value for the entropy is 7.32... So we have something in this file that is not encrypted/compressed. Let" />
The lower entropy appears to be around position 0x1000. Let" />
Bytes before 0x1000 look random, while we see some patterns appearing after 0x1000.
FFDB is the JPEG marker for quantization tables. This should be preceded by a JPEG header, like this one: \xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x48\x00\x48\x00\x00
To recover the image, just create a new file with this JPEG header and append all bytes from the ransomed file starting at the FFDB marker (position 0x1000).
What is this image? Its a thermal image of my MacBook 12 with the processor running hot. The processor is located where you see the yellow/orange spot. The color indicates its around 39C. Thats around 312K and 102F.