deploying-ransomware-canary-files

Featured

Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Deploying Ransomware Canary Files ## When to Use - Deploying proactive ransomware detection on file servers, NAS devices, or endpoint systems - Building an early-warning system that detects ransomware before it encrypts business-critical data - Supplementing EDR solutions with lightweight canary file monitoring on systems where agents cannot be deployed - Testing ransomware incident response procedures by simulating canary file triggers - Monitoring shared drives, home directories, and backup volumes for unauthorized file operations **Do not use** as a replacement for endpoint protection, backup strategy, or network segmentation. Canary files are a detection layer, not a prevention mechanism. ## Prerequisites - Python 3.8+ with pip - watchdog library (pip install watchdog) - Write access to directories where canary files will be placed - SMTP server credentials or Slack webhook URL for alerting - Administrative access for placing canaries in system directories ## Workflow ### Step 1: Generate Canary Files Create decoy files with realistic names and content that attract ransomware scanners. Files should have names like `Passwords.xlsx`, `Financial_Report_2026.docx`, `backup_credentials.csv` and contain plausible-looking but fake data. Place them in directories ransomware typically targets first: user desktops, Documents folders, network share roots, and backup paths. ### Step 2: Deploy Filesystem Monitor Use Python's watchdog library with a custom `FileSystemEventH...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Slack · Communication

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

deploying-decoy-files-for-ransomware-detection

Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-honeypot-for-ransomware-detection

Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or early ransomware alerting.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-canary-tokens-for-network-intrusion

Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms.

12,642 Updated today
mukul975
AI & Automation Solid

implementing-deception-based-detection-with-canarytoken

Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-encryption-behavior

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

12,642 Updated today
mukul975