Methods for determining if a file is encypted?
You could run ent to see how much entropy a file has, a file with high entropy is likely either compressed or encrypted (or both). A problem is that JPEG, XLSX and ZIP are compressed, so actually compressed files are very common.
If you suspect that X is an encrypted version of file Z then you could check if they have similar sizes, plus small delta for encryption headers.
You can use the file command if available in your environment (a standard part of BSD/OSX/Linux). For example, once encrypted content is available:
$ gpg --encrypt test-encrypted -r [email protected]
Enter the user ID. End with an empty line:
$ ls
test-encrypted test-encrypted.gpg
$ mv test-encrypted.gpg testfile.txt
file can identify it as GPG Encrypted content:
$ file testfile.txt
testfile.txt: GPG encrypted data
However, this only shows information based on the headers and trailers. A while back, someone wrote a Powershell script to find Cryptolocker files (link to PS script) which may or may not help you. The issue you will run into is: "HOW was this encrypted?" For example, if an attacker just creates a complex password for a "password protected zip" file, that isn't encryption per-se, so your script will be detected as a zip file, not an encrypted file.
Also noteworthy is, many of these ransomware files change on every iteration. E.g., locky appends a *.locky to each file, so while some may be easy to detect, imagine if all your files were renamed to random checksums. Now you cannot identify files: E.g.:
MD5 ("salesfile") = 64d11ab29c2d78b325d8a944119d1150.doc
MD5 ("payrollfile") = d9087b158cd38e844999456d17611f1c.doc
MD5 ("engineeringfile") = 14e8e9011a4d3343df39e35fc7f2cd29.doc
MD5 ("researchfile") = 26779202429523339305a90e6ec74146.doc
MD5 ("managementfile") = 419765bc586cdd1bf741afe771951bec.doc
Now you have a bigger issue. Which file is more mission critical to spend time "cracking/decrypting/etc." For the most part, the file command on Unix based systems, and or the Powershell script should give you a starting point. There is also YARA if you REALLY want to be technical about it. Create a YARA signature, and use that to search.