CTERA adds data theft honeypot decoy

CTERA has added a decoy file and attack detection facility to its Ransom Protect offering.

The enterprise developer provides geo-distributed global cloud file and object data services, enabling distributed users to access shared and synchronized unstructured data. Its Ransom Protect feature uses machine learning (ML) models to detect anomalous user or app behavior – such as a spike in encrypted writes – and apply preventative measures at once. CTERA has added a decoy files facility to this, so that data exfiltration attempts by insiders or external malware attackers can be detected in real time and thus begin reactive measures.

CTERA CEO Oded Nagel explained: “Data exfiltration poses a severe risk to organizations, as threat actors can leverage stolen sensitive information for extortion, causing immense financial and reputational damage. With our new honeypot functionality as part of CTERA Ransom Protect, we are providing our customers robust active defense against these pernicious attacks, ensuring the protection of their valuable data assets.” 

Ransom Protect deploys decoy files within a customer’s file system. A blog by CTERA CTO Aron Brand explains: “Any attempt to access them enables CTERA’s software to identify and stop unauthorized access or attempts at data theft, effectively neutralizing threats before significant damage can occur.”

CTERA presentation slide
CTERA presentation slide

This enables Ransom Protect to defend customers against double extortion – an attack combining data exfiltration and encryption which has become a widespread cyber criminal attack method. Attackers first exfiltrate sensitive information from their targets before launching the ransomware encryption routine. They then demand attacked customers make a ransom payment to regain access to their encrypted data, threatening to expose the stolen data if the ransomware demand is not met. 

The Ransom Protect product provides:

  • Data exfiltration prevention Decoy files enabling real-time detection and blocking of data exfiltration attacks;
  • Real-time AI detection Machine learning algorithms identify behavioral anomalies suggesting fraudulent file activity, and block offending users within seconds;
  • Zero-day protection Does not rely on traditional signature update services;
  • Incident management Admin dashboard for real-time attack monitoring, incident evidence logging and post-attack forensics;
  • Instant recovery Near-instant recovery of any affected files from snapshots that are securely stored in an air-gapped, immutable cloud object storage;
  • One-Click Deployment Single-click feature activation on CTERA Edge Filers with latest version release.

Read more in a CTERA blog.


Commvault added ThreatWise honeypot malware deception and detection technology to its Metallic SaaS product in late 2022. Catalogic also introduced equivalent technology that year, with version 4.9 of its DPX product.