Ransomware: How to Detect and Stop them with Honeypots?

Ransomware is a type of malware that can encrypt the victim’s files, databases, or applications, and hold them for ransom. Once the ransomware finishes encrypting the victim’s files, the victims will be asked to pay the ransom (usually in Bitcoin) so that they can recover their encrypted files. Recent ransomware strains can take a copy of the victim’s data before encrypting them then threaten to expose the data to the public if the victim refuses to pay the ransom.

Ransomware attacks are on the rise. According to SonicWall, ransomware volume jumped from 115.8 million attacks in Q1 to 188.9 million attacks in Q2. The top three ransomware strains seen in the wild by SonicWall are Ryuk, Cerber, and SamSam with the United States being the most targeted country. For that reason, knowing how to detect and stop ransomware has become more critical than ever before.

Ransomware growth in 2021
Source: SonicWall

Most users and companies already utilize software solutions such as anti-virus software to defend against ransomware; however, they may fail to provide full protection against ransomware as many ransomware strains nowadays can evade such solutions; that is why using only antivirus software is no longer enough to keep your machine malware-free and there is a need to use additional techniques to form a second line of defense. One of those techniques is the Honeypots.

What Is Ransomware Honeypot?

Honeypots are an effective technique to detect and stop ransomware attacks, thus protecting the user’s important data from permanent damage. Anti-ransomware honeypots are decoy files that users can create and deploy in various system locations that no program nor user would ever tamper with. The system will monitor the created honeypots, and it will react if it detects any changes made to the honeypots. Since ransomware encrypts all files in every relevant folder, it would naturally also encrypt the honeypot files, thus alerting the system that a program is tampering with the honeypot.

To increase the effectiveness of honeypots in detecting and stopping ransomware; honeypots should have the following criteria:

  • Create honeypot files with file extensions that are commonly targeted by ransomware like text files, Microsoft Office documents, and PDFs.
  • Create honeypot files with random names and content so that ransomware won’t bypass them.
  • Create honeypots with file names that would allow ransomware to target them before targeting the user’s real files.
  • Create honeypot files in folders to minimize the chance of accidentally changing them by legitimate users or programs.
  • Create honeypot files in as many system locations as possible.

You can easily create honeypot files by yourself; however, you will need a program that can monitor the created honeypots, identify the process that changed the honeypot file, and react to honeypot changes. You can either use a general-purpose file system monitoring program to do the job; however, it will be a lot of work on your side to configure the software solution to monitor and react to the honeypot changes, or you can use our anti-ransomware solution CryptoBuster.

CryptoBuster has the following features that increase the effectiveness of honeypots:

  • Automate the creation and deployment of hundreds of honeypots in strategic system locations.
  • Uses optimized file names, extensions, and content for honeypot files to increase the effectiveness of honeypots.
  • Built-in tools to manage the created honeypot files.
  • Active monitoring of honeypots with a very low system footprint.
  • CryptoBuster can identify the process that changed the honeypot file.
  • CryptoBuster can be configured to react to honeypot changes with various actions like sending email notifications, suspending the suspicious process, or disabling the network.

In this guide, you will learn how to use CryptoBuster to create and manage honeypots; and how CryptoBuster reacts to honeypot changes.

Create Honeypots in CryptoBuster

Honeypots Wizard - CryptoBuster
CryptoBuster Honeypots Wizard

In CryptoBuster, you can either create honeypot files manually customizing their names, types, and locations, or you can use the Honeypots Wizard that can create hundreds of honeypots with optimized file names and types in all important system locations.

To create a custom honeypot file manually, follow the steps below:

  • From the CryptoBuster dashboard, under the Honeypots section select Manage.
  • In the Honeypots Manager, click the Create File button located in the lower-right part of the CryptoBuster’s user interface.
  • In the New Honeypot File dialog box, specify the honeypot file name, location, type, and options, then click the OK button to create and register the honeypot file with CryptoBuster.

To create honeypots using the Honeypots Wizard, follow the steps below:

  • From the CryptoBuster dashboard, under the Honeypots section select Manage.
  • In the Honeypots Manager, click the Honeypots Creation Wizard link located in the lower-left part of the CryptoBuster’s user interface.
  • In the Honeypots Wizard, specify the locations where you want to create honeypots, then click the Create Honeypots button to create and register the new honeypots file with CryptoBuster.

Manage Ransomware Honeypots

Honeypots Manager - CryptoBuster
CryptoBuster Honeypots Manager

Use the CryptoBuster Honeypots Manager to browse and manage all honeypots created and registered with CryptoBuster and get their details like names, locations, and types.

Honeypots Monitor

Honeypot Alert - CryptoBuster
CryptoBuster Honeypot Alert

CryptoBuster actively monitors honeypots for any unauthorized changes. If CryptoBuster detects that one or more of the created honeypots were changed, it will automatically apply the Honeypots Monitor actions that may include sending an email notification, suspending the program that changed the honeypot then terminating its process tree, and disabling all active network adapters (You can configure those actions in the CryptoBuster settings).

By default, CryptoBuster will terminate all processes and force the computer to shut down if three or more honeypot files are changed, as those changes strongly indicate an ongoing ransomware attack. Honeypots Monitor’s actions aim to protect your data and minimize the damage caused by ransomware.

CryptoBuster will also display a notification to inform the user about the changed honeypot file and which program changed it.


Honeypots is an effective technique with very low false-positive chances to detect and respond to ransomware attacks before any real files have been encrypted. CryptoBuster automates the creation and monitoring of honeypots, thus increasing the effectiveness of honeypots.

Smart PC Utilities, established in 2008, is a professional software developer specializing in creating innovative, powerful, and affordable system utility and security software.