Abstract: Embodiments of the present invention are directed to providing a method for detecting and defeating ransomware on a computing device by monitoring selected “bait” files for suspicious file accessing activity. Whenever a bait file is accessed by any software, embodiments of the invention determine whether the accessing software is potentially ransomware. If ransomware is suspected, embodiments of the invention may halt execution of the suspected ransomware and may also take other remedial measures to issue warning notifications and to limit further damage to unaffected data files of the computing device. Such other remedial measures may include removing executable files associated with the suspected ransomware software, shutting down the computing device, and/or setting the computing device to reboot into a safe mode so that further ransomware removal steps can be taken.