• data loss prevention
• ransomware
• entropy

Data Loss Prevention is a technique that allows to identify, monitor, and protect data in motion, in use and at rest. Ransomware is a type of malware and being infected with it is one of the biggest risks for an enterprise. The function of ransomware is to encrypt files and then ask the victim for a ransom. Ransomwares currently in use, offered under the Ransomware-as-a-Service (RaaS) model, can be configured to exfiltrate data and doubly extort victims with the integrity and confidentiality of the attacked data. This pattern increases the number of attacks because attackers don't need to have the technical knowledge to launch these attacks.
In this thesis, Data Loss Prevention (DLP) issue in a public cloud environment for an enterprise is studied. In particular, a technique based on entropy has been designed, implemented, and validated to detect in almost instantaneous time all types of ransomwares, including zero-day ones. The quantity on which this technique is based is the entropy, that measures the “randomness” of a file. One of the characteristics of ciphers is that they make the text appear random. It is possible to assume that an encrypted file has a higher entropy value than the same file but unencrypted. Using well-known algorithms proposed by the National Institute of Standards and Technology, different estimates of the entropy of a given file are obtained. At this point it is possible to compare the estimate obtained with a threshold to decide whether the file has been encrypted or not, and then to detect ransomwares.