minsarawishka/RansomwareCanary

# Ransomware Behavior Canary & Monitoring System A Python-based defensive cybersecurity tool designed to detect ransomware behavior in real-time using directory canaries (honeypot files) and File Integrity Monitoring (FIM). ## 🧐 How It Works Ransomware typically encrypts files in alphabetical or numerical order (`0-9`, `A-Z`) to maximize damage before detection. This script exploits that behavior by: 1. Creating a "Canary Trap" file named `00_urgent_passwords.txt` inside the target directory. 2. Generating and saving a baseline SHA-256 cryptographic hash of the canary file. 3. Continuously monitoring the file every second. 4. If a malicious process modifies, encrypts, or deletes the canary file, the cryptographic hash changes. The script instantly triggers a high-severity alert to simulate incident response (e.g., shutting down network connections). ## 🚀 Features * **Real-time Integrity Monitoring:** Uses SHA-256 hashing to spot unauthorized changes instantly. * **Strategic Honeypotting:** High-priority naming convention (`00_`) ensures it catches ransomware early in its encryption cycle. * **Automated Alerting:** Visual high-severity warnings for both file modification and deletion events. * **Zero Dependencies:** Pure Python implementation requiring no heavy external modules. ## 💻 Usage Demonstration 1. Run the monitoring script: python3 canary_monitor.py