implementing-honeypot-for-ransomware-detection

What this skill does

# Implementing Honeypot for Ransomware Detection

## When to Use

- Deploying early-warning detection for ransomware encryption attempts using canary files
- Creating honeypot file shares that detect lateral movement and data staging before encryption
- Supplementing EDR and SIEM-based detection with deception-layer alerts that have near-zero false positives
- Detecting ransomware variants that evade signature-based detection by triggering on file modification behavior
- Validating that ransomware detection capabilities work by testing with controlled encryption tools

**Do not use** as the sole ransomware detection mechanism. Honeypots are a high-confidence supplementary layer, not a replacement for EDR, network monitoring, and backup protection.

## Prerequisites

- File server or NAS infrastructure where canary files can be deployed
- Windows File Server Resource Manager (FSRM) or equivalent file activity monitoring
- Thinkst Canary or similar deception platform (optional, for advanced deployment)
- SIEM platform for centralizing honeypot alerts
- Administrative access to deploy canary files across file shares
- Network segment for honeypot systems (if deploying full honeypot servers)

## Workflow

### Step 1: Deploy Canary Files on File Shares

Place canary files in strategic locations that ransomware will encounter during encryption:

```powershell
# Deploy canary files across all file shares
# Files are named to appear early in alphabetical and directory order
# Ransomware typically encrypts alphabetically or by directory traversal

$shares = @("\\fileserver01\finance", "\\fileserver01\hr", "\\fileserver01\engineering")
$canaryNames = @(
    "!_IMPORTANT_DO_NOT_DELETE.docx",
    "000_Budget_2026_FINAL.xlsx",
    "_Confidential_Employee_Records.pdf",
    "AAAA_Quarterly_Report.docx"
)

foreach ($share in $shares) {
    foreach ($name in $canaryNames) {
        $targetPath = Join-Path $share $name
        # Create a legitimate-looking file with canary content
        # The file contains a unique token that triggers on access
        $content = "This document contains confidential financial data.`n"
        $content += "Q4 2025 Revenue: $42.3M | Q1 2026 Forecast: $45.1M`n"
        $content += "Prepared by: Finance Department`n"
        Set-Content -Path $targetPath -Value $content
        # Set file as hidden system to avoid user interaction
        $file = Get-Item $targetPath
        $file.Attributes = [System.IO.FileAttributes]::Hidden
    }
}

# Also deploy in subdirectories (ransomware traverses recursively)
$subDirs = Get-ChildItem -Path "\\fileserver01\finance" -Directory -Recurse | Select-Object -First 20
foreach ($dir in $subDirs) {
    $canaryPath = Join-Path $dir.FullName "!_Budget_Summary.xlsx"
    Set-Content -Path $canaryPath -Value "Canary file for ransomware detection"
    (Get-Item $canaryPath).Attributes = [System.IO.FileAttributes]::Hidden
}
```

### Step 2: Configure File Integrity Monitoring on Canary Files

**Windows FSRM approach:**

```powershell
# Configure FSRM to monitor for ransomware file extensions
# and canary file modifications

Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

# Create file screen for known ransomware extensions
$ransomExtensions = @(
    "*.encrypted", "*.locked", "*.crypto", "*.crypt",
    "*.locky", "*.cerber", "*.zepto", "*.thor",
    "*.aesir", "*.zzzzz", "*.wallet", "*.onion",
    "*.wncry", "*.wcry", "*.lockbit", "*.BlackCat",
    "*.ALPHV", "*.rhysida", "*.play"
)

# Create file group for ransomware extensions
New-FsrmFileGroup -Name "Ransomware_Extensions" -IncludePattern $ransomExtensions

# Create file screen template
New-FsrmFileScreenTemplate -Name "Ransomware_Screen" `
    -IncludeGroup "Ransomware_Extensions" `
    -Active:$false  # Passive mode: alert without blocking

# Apply to all monitored shares
$monitoredPaths = @("D:\Shares\Finance", "D:\Shares\HR", "D:\Shares\Engineering")
foreach ($path in $monitoredPaths) {
    New-FsrmFileScreen -Path $path -Template "Ransomware_Screen"
}
```

**Canary file modification monitoring with PowerShell FileSystemWatcher:**

```powershell
# Real-time canary file monitoring service
$canaryPaths = @(
    "D:\Shares\Finance\!_IMPORTANT_DO_NOT_DELETE.docx",
    "D:\Shares\HR\000_Budget_2026_FINAL.xlsx",
    "D:\Shares\Engineering\_Confidential_Employee_Records.pdf"
)

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "D:\Shares"
$watcher.Filter = "*"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true

$action = {
    $path = $Event.SourceEventArgs.FullPath
    $changeType = $Event.SourceEventArgs.ChangeType
    $timestamp = $Event.TimeGenerated

    # Check if modified file is a canary
    $isCanary = $false
    foreach ($canary in $canaryPaths) {
        if ($path -eq $canary) { $isCanary = $true; break }
    }

    if ($isCanary -or $changeType -eq "Renamed") {
        $alertMsg = "RANSOMWARE ALERT: Canary file modified! Path: $path | Change: $changeType | Time: $timestamp"
        # Log to Windows Event Log
        Write-EventLog -LogName Application -Source "RansomwareCanary" `
            -EventID 9999 -EntryType Error -Message $alertMsg
        # Send SIEM alert via syslog
        # Trigger automated containment
    }
}

Register-ObjectEvent $watcher "Changed" -Action $action
Register-ObjectEvent $watcher "Deleted" -Action $action
Register-ObjectEvent $watcher "Renamed" -Action $action
```

### Step 3: Deploy Honeypot Network Shares

Create decoy file shares that appear to contain high-value data:

```powershell
# Create honeypot share on dedicated server
# This server monitors ALL file access and alerts on any activity

New-Item -Path "D:\HoneypotShares\Executive_Compensation" -ItemType Directory
New-Item -Path "D:\HoneypotShares\M&A_Documents" -ItemType Directory
New-Item -Path "D:\HoneypotShares\Board_Meeting_Notes" -ItemType Directory
New-Item -Path "D:\HoneypotShares\Customer_Database_Exports" -ItemType Directory

# Share with broad read access (enticing to attackers)
New-SmbShare -Name "Executive_Compensation" `
    -Path "D:\HoneypotShares\Executive_Compensation" `
    -FullAccess "DOMAIN\Domain Users" `
    -Description "Executive Compensation Files - Restricted"

# Populate with realistic-looking but fake documents
# Use document templates that look legitimate
$docContent = @"
CONFIDENTIAL - Executive Compensation Summary
FY 2026 Base Salary and Bonus Structures
CEO: [REDACTED] | CFO: [REDACTED] | CTO: [REDACTED]
Total Compensation Package: See Appendix A
"@
Set-Content -Path "D:\HoneypotShares\Executive_Compensation\FY2026_Comp_Summary.txt" -Value $docContent

# Enable detailed audit logging on honeypot share
$acl = Get-Acl "D:\HoneypotShares"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
    "Everyone", "ReadAndExecute,Write,Delete", "ContainerInherit,ObjectInherit",
    "None", "Success,Failure"
)
$acl.AddAuditRule($auditRule)
Set-Acl "D:\HoneypotShares" $acl

# Enable object access auditing via GPO
auditpol /set /subcategory:"File System" /success:enable /failure:enable
```

### Step 4: Deploy Thinkst Canary Tokens

For organizations using Thinkst Canary or the free canarytokens.org service:

```bash
# Generate canary tokens via API (Thinkst Canary)
# These trigger alerts when documents are opened or URLs are accessed

# Word document token
curl -X POST "https://CONSOLE.canary.tools/api/v1/canarytoken/create" \
  -d "auth_token=YOUR_API_TOKEN" \
  -d "memo=Finance_Share_Canary" \
  -d "kind=doc-msword" \
  -o /tmp/canary_budget_report.docx

# PDF document token
curl -X POST "https://CONSOLE.canary.tools/api/v1/canarytoken/create" \
  -d "auth_token=YOUR_API_TOKEN" \
  -d "memo=HR_Share_Canary" \
  -d "kind=pdf-acrobat-reader" \
  -o /tmp/canary_employee_handbook.pdf

# Windows folder token (alerts when folder is browsed)
curl -X POST "https://CONSOLE.canary.tools/api/v1/canarytoken/create" \
  -d "auth_token=YOUR_API_TOKEN" \
  -d "memo