Deploying Decoy Files for Ransomware Detection

When to Use

• Setting up early-warning detection for ransomware on file servers or endpoints
• Supplementing EDR/AV with a deception-based detection layer that catches unknown ransomware variants
• Creating high-fidelity ransomware alerts that have very low false-positive rates (legitimate users have no reason to touch decoy files)
• Testing ransomware response procedures by validating that canary file modifications trigger the expected alerting pipeline
• Protecting high-value file shares (finance, HR, legal) with tripwire files that indicate unauthorized encryption activity

Do not use decoy files as the sole ransomware defense. They are a detection mechanism, not a prevention mechanism, and should complement backups, EDR, and access controls.

Prerequisites

• Python 3.8+ with watchdog library for cross-platform file system monitoring
• Administrative access to target file shares or endpoints for canary placement
• File integrity monitoring (FIM) tool or SIEM integration for alert routing
• Understanding of target directory structure to place canaries in high-value locations
• Windows: NTFS change journal or ReadDirectoryChangesW API access