Leveraging File Hash Monitoring as a Proactive Early Warning System for Cybersecurity

Abstract

This study examines the behavior of Hidden Tear, an open-source ransomware, through a controlled attack conducted in a virtual environment. A Windows 11 virtual machine was utilized for the execution of the ransomware following several configuration adjustments and troubleshooting steps. A key aspect of the study involved the use of Autopsy to track and verify file hashes before, during, and after the ransomware attack. The findings indicate that although Hidden Tear alters the file hashes during the encryption process, it restores them to their original state upon decryption, thereby preserving file integrity. These results highlight the efficacy of file hash monitoring as a crucial technique for security analysts to detect and analyze ransomware attacks. The study advocates for further research into the development of automated hashing tools, which could significantly enhance the capabilities for rapid identification and prevention of ransomware threats by facilitating real-time monitoring of changes in file properties. Key Terms – file hashes, file integrity, hidden tear, ransomware.