Ransomware poses a severe threat to digital infrastructure, necessitating real-time, high-accuracy proactive defense mechanisms. This paper proposes a novel anti-ransomware framework integrating active network deception with dynamic behavioral analysis. It deploys decoy environments to capture and isolate ransomware payloads in real time; introduces an automated “deceive-feedback” loop that repeatedly restarts malicious processes while forging encryption responses—thereby exhausting attackers’ storage resources and enabling reverse deterrence; and combines critical code element identification with real-time response for precise detection and disruption. Evaluated on 1,134 real-world ransomware samples and 12 benign applications, the system achieves 100% detection accuracy with zero false positives. Within 24 hours, a single database generates 9.223 million highly realistic decoy records, substantially increasing attacker overhead and enhancing defensive proactivity.

Ransomware (RW) presents a significant and widespread threat in the digital landscape, necessitating effective countermeasures. Active cyber deception is a promising strategy to thwart RW and limiting its propagation by misleading it with false information and revealing its true behaviors. Furthermore, RW often acts as a communication conduit between attackers and defenders, allowing deception to return false data to attackers and deplete their resources. This paper introduces ranDecepter, a novel approach that combines active cyber deception with real-time analysis to enhance defenses against RW attacks. The ranDecepter identifies RW in real-time and isolates it within a deceptive environment, autonomously identifying critical elements in the RW code to create a loop mechanism. By repeatedly restarting the malware and transmitting counterfeit encryption information and secret keys to the attacker, it forces the attacker to store these fabricated details for each victim, thereby depleting their resources. Our comprehensive evaluation of ranDecepter, conducted using 1,134 real-world malware samples and twelve benign applications, demonstrates a remarkable 100% accuracy in RW identification, with no false positives and minimal impact on response times. Furthermore, within 24-hours, ranDecepter generates up to 9,223K entries in the attacker's database using 50 agents, showcasing its potential to undermine attacker resources.