Ransomware Detection

Detect ransomware
before it's too late.

HostAtlas analyzes every backup file using Shannon entropy and magic byte detection to identify ransomware-encrypted data. While other tools detect ransomware after days of corrupted backups, HostAtlas catches it within a single backup cycle — as fast as 15 minutes. Automatic incident creation ensures your team knows immediately.

Start free — no credit card See how it works

15 min

Detection time

8

Format signatures

0-8.0

Entropy scale

Auto

Incident creation

Shannon Entropy

The math behind the detection.

Shannon entropy measures the randomness of data on a scale from 0.0 (completely uniform) to 8.0 (maximum randomness). Encrypted data — whether encrypted by ransomware or legitimate tools — has entropy near 8.0. Compressed files like gzip or bzip2 also have high entropy but are identifiable by their magic bytes. When a backup file has near-maximum entropy and no recognized format signature, something is very wrong.

calculate

Per-File Entropy Calculation

HostAtlas computes Shannon entropy for every backup file by analyzing byte frequency distribution. The calculation samples the first 1 MB of each file, which is sufficient to determine randomness characteristics with high accuracy.

trending_up

Entropy Trend Tracking

HostAtlas tracks entropy over time for each backup path. A sudden jump from ~5.0 (typical SQL dump) to ~7.98 (encrypted) is a clear indicator of ransomware, even without format analysis.

science

Combined with Format Detection

High entropy alone does not indicate ransomware — compressed archives legitimately have high entropy. HostAtlas combines entropy measurement with magic byte format detection to separate legitimate compression from malicious encryption.

Shannon Entropy Scale (0.0 – 8.0)
0.0 – 3.0
Plain text, logs
3.0 – 5.0
HTML, JSON, XML
5.0 – 6.5
SQL dumps, binaries
6.5 – 7.5
Compressed (gzip, xz)
7.5 – 7.95
High compression
7.95 – 8.0
Encrypted / ransomware
warning

Critical zone: Entropy >7.95 with no recognized format signature is the strongest indicator of ransomware encryption. Legitimate encryption tools (GPG, age) can be whitelisted per path.

Format Detection

Magic bytes tell the truth.

Every file format has a signature — a sequence of bytes at the beginning of the file that identifies its type. HostAtlas reads the first bytes of every backup file and matches them against known format signatures. When entropy is high but the format is recognized (gzip, bzip2, xz), the file is likely a legitimate compressed backup. When entropy is high and the format is unknown — that is the ransomware signal.

Format Magic Bytes Typical Entropy Status
gzip 1f 8b 7.2 – 7.9 Recognized
bzip2 42 5a 68 7.5 – 7.95 Recognized
xz fd 37 7a 58 5a 00 7.6 – 7.98 Recognized
zip 50 4b 03 04 7.0 – 7.9 Recognized
rar 52 61 72 21 7.3 – 7.9 Recognized
7z 37 7a bc af 27 1c 7.5 – 7.95 Recognized
tar 75 73 74 61 72 (offset 257) 4.0 – 6.5 Recognized
SQL dump -- MySQL dump / PGDMP 3.5 – 5.5 Recognized
Unknown No match 7.95+ Suspicious

When a backup file has entropy >7.95 and no recognized magic byte signature, HostAtlas flags it as suspicious. This is the primary ransomware detection signal — encrypted data with no legitimate format wrapper.

Suspicion Scoring

Four severity levels. Clear escalation.

HostAtlas assigns a suspicion level to every backup file based on its entropy and format detection results. The scoring system is designed to minimize false positives while ensuring no ransomware goes undetected.

Low

Entropy below 7.0 with a recognized format. This is normal behavior — compressed backups, SQL dumps, tar archives. No action required.

Conditions

Entropy < 7.0

Format: recognized

No alert generated
Medium

Entropy between 7.0 and 7.95 with a recognized format, or entropy between 7.5 and 7.95 with an unknown format. Worth monitoring but likely legitimate high-compression.

Conditions

Entropy 7.0 – 7.95 (recognized)

Entropy 7.5 – 7.95 (unknown)

Warning alert
High

Entropy above 7.95 with a recognized format that should not have entropy this high (e.g., tar archives), or a sudden entropy jump from historical baseline.

Conditions

Entropy > 7.95 (unexpected format)

Entropy delta > 2.0 from baseline

Auto-incident created
Critical

Entropy above 7.95 with no recognized format signature. This is the strongest ransomware indicator — encrypted data with no legitimate format wrapper.

Conditions

Entropy > 7.95

Format: unknown

Critical incident + immediate alert

Automatic Response

HIGH and CRITICAL trigger incidents automatically.

When HostAtlas detects a HIGH or CRITICAL suspicion level, it automatically creates an incident with all the evidence: the file path, entropy value, expected format, detected format (or lack thereof), historical entropy for that path, and the server details. Alerts are sent to all configured notification channels within seconds.

crisis_alert

Immediate Alert Delivery

Slack, email, PagerDuty, and webhooks — all channels fire simultaneously. Ransomware incidents use the highest urgency level across all channels.

description

Complete Evidence Package

Every incident includes the file path, SHA-256 hash, entropy value, magic byte analysis, historical entropy trend, last known good backup timestamp, and the server hostname and IP.

timeline

Timeline Reconstruction

The incident timeline shows when the backup was last clean, when the suspicious file was first detected, and correlates with any other server events in the same time window.

INC-3847 Critical Open

Possible ransomware detected in backup on prod-db-01

Detected Apr 3, 2026 at 03:15:42 UTC · Auto-detected · Ransomware Detection

Entropy

7.9847

Format

Unknown

Affected File

/backups/mysql/prod-db-01/daily_2026-04-03.sql.gz

Entropy History

Apr 1: 5.23 Apr 2: 5.19 Apr 3: 7.98

Last Known Good Backup

Apr 2, 2026 at 03:15:00 UTC · Entropy: 5.19 · Format: gzip

Detection Speed

15 minutes. Not days.

Most backup integrity tools check on a daily or weekly schedule. By the time they detect something wrong, you may have days of corrupted backups and no clean copy to restore from. HostAtlas analyzes backups as they arrive — within a single backup cycle. If your backups run every 15 minutes, ransomware is detected within 15 minutes.

Detection time comparison

Traditional backup tools 24 – 168 hours

Rely on scheduled integrity checks (daily/weekly). Ransomware may encrypt multiple backup cycles before detection.

File-level antivirus 1 – 24 hours

Requires signature updates. Zero-day ransomware variants are undetected until signatures are released.

HostAtlas 15 minutes

Entropy analysis is signature-independent. Detects any encryption — including zero-day ransomware — within one backup cycle.

Why speed matters

history

Preserve clean backups

The faster you detect ransomware, the fewer backup cycles are affected. With 15-minute detection, you likely still have a clean backup from the previous cycle.

lock

Contain the attack

Early detection means you can isolate the compromised server before the ransomware spreads to other systems or encrypts more data.

savings

Minimize data loss

Every hour of undetected ransomware is an hour of data you might not recover. 15-minute detection limits maximum data loss to the time between your last clean backup and detection.

gavel

Signature-independent

Entropy analysis detects any encryption, not specific ransomware variants. Zero-day ransomware that evades antivirus signatures is still caught by abnormal entropy levels.

Backup Path Configuration
/backups/mysql/*.sql.gz

Expected format: gzip | Expected entropy: 5.0 – 7.9

Monitored
/backups/secrets/*.gpg

Marked as encrypted | False positive suppressed

Encrypted
/backups/files/*.age

Marked as encrypted | False positive suppressed

Encrypted
/backups/postgres/*.sql.xz

Expected format: xz | Expected entropy: 7.0 – 7.98

Monitored

False Positive Control

GPG? Age? Mark it as encrypted.

If you use legitimate client-side encryption tools like GPG or age on certain backup paths, those files will naturally have near-maximum entropy. HostAtlas lets you mark specific paths as "Encrypted" to suppress false positive alerts. The per-path flag tells the detection engine that high entropy is expected for these files.

tune

Per-Path Configuration

Set the "Encrypted" flag on individual backup paths or glob patterns. Files matching these paths are excluded from ransomware suspicion scoring while still being monitored for other anomalies.

verified

Format-Aware Suppression

Even with the "Encrypted" flag, HostAtlas still monitors for unexpected format changes. If a GPG-encrypted file suddenly stops having GPG headers, an alert is raised — this could indicate the encryption tool changed or the backup pipeline broke.

Visual Intelligence

Color-coded entropy. Format badges. At a glance.

The backup overview page shows entropy values with color coding and format badges for every monitored file. Green means safe. Yellow means worth watching. Red means investigate immediately. You can see the health of all your backups across all servers in a single view.

Backup Files — prod-db-01 Last scan: 2 min ago
daily_2026-04-03.sql.gz

/backups/mysql/prod-db-01/

gzip 5.23
daily_2026-04-03.tar.xz

/backups/files/prod-db-01/

xz 7.62
daily_2026-04-03.sql.bz2

/backups/postgres/prod-db-01/

bzip2 7.91
daily_2026-04-03.sql.gz

/backups/mysql/staging-01/ · CRITICAL: possible ransomware

Unknown 7.98
secrets_2026-04-03.gpg

/backups/secrets/prod-db-01/ · Marked as encrypted

GPG 7.99

Get started

Don't wait until the ransom note appears.

Ransomware detection is included on every HostAtlas plan with offsite backups. Shannon entropy analysis, magic byte format detection, and automatic incident creation — working silently on every backup cycle to ensure your data stays safe. No signatures to update. No agents to configure. It just works.

Start free — no credit card View pricing plans

Quick install

$ curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- --key=SERVER_KEY_