Dev builds tool to catch ransomware faking pdfs—because apparently hackers still win by renaming files in 2023

A cybersecurity expert, AnasRm01, has developed a tool to combat extension spoofing, a tactic used by attackers to disguise malware as legitimate files. The tool, available on GitHub, validates file extensions against magic numbers in real-time, quarantining mismatched files and outputting SIEM-ready JSON logs. It uses inotify on Linux and watchdog on Windows to monitor file creation and modification, and employs SHA256 hashing and user attribution. The expert created the tool after noticing ransomware slipping through due to attackers renaming malware files with legitimate extensions, such as invoice.pdf. The solution has been tested on CentOS, Ubuntu, and Windows 10/11, and uses less than 10MB RAM and 1% CPU. It has various use cases, including web server upload directories and compliance logging for PCI-DSS. The tool's development highlights the importance of file integrity monitoring in preventing cyber attacks, and its open-source nature allows for community feedback and contribution.