Abstract: Backup data is leveraged to determine whether primary data has been encrypted by malware. The disclosed approach does not rely on recognizing particular malware instances or malware provenance, and thus can be applied to any body of data. Even a novel and previously unknown malware attack can be detected in this way. An illustrative data storage management system analyzes secondary copies it created over time, applies a multi-factor analysis to data recovered from the secondary copies and, based on the analysis, infers whether the primary data from which the secondary copies were created may be encrypted. The present approach uses successive versions of backup copies to find indicia of malware encryption, rather than trying to trace or identify the malware itself. Indicia of entropy correlate highly with encryption, such as encryption performed by malware attacks. Conversely, indicia of similarity correlate highly with lack of encryption of successive versions of documents.