Ransomware detection via monitoring open file or process

What is claimed is: 1. A method comprising: monitoring a bait file stored in a storage system of a computing system, wherein the bait file is owned by a bait process such that the bait file is locked by a locking process that is not a malware process, wherein the monitoring the bait file includes monitoring the bait process; detecting an access attempt to the bait file by a process operating in the computing system; determining that the process attempting to access the locked bait file is a malware process, wherein the access attempt includes an attempt to remove a lock on the bait file or kill the bait process; and performing a protection operation on the malware process. 2. The method of claim 1 , further comprising creating the bait file in the storage system. 3. The method of claim 2 , further comprising locking the bait file in the storage system by a locking process. 4. The method of claim 1 , further comprising detecting the access attempt by a malware detection engine operating in a kernel space of the computing system. 5. The method of claim 1 , wherein the protection operation comprises blocking the process. 6. The method of claim 1 , wherein the protection operation comprises terminating the process. 7. The method of claim 1 , wherein the protection operation comprises generating an infected snapshot and allowing the process to operate in a forensic environment, wherein the process is blocked in the computing system. 8. The method of claim 1 , wherein the access attempt comprises accessing the bait file by any process other than the bait process or interfering with the bait process. 9. The method of claim 1 , further comprising configuring the bait file or attributes of the bait file such that the bait file appears valuable in the computing system to cause the process to perform the access attempt. 10. A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: monitoring a bait file stored in a storage system of a computing system, wherein the bait file is owned by a bait process such that the bait file is locked by a locking process that is not a malware process, wherein the monitoring the bait file includes monitoring the bait process; detecting an access attempt to the bait file by a process operating in the computing system; determining that the process attempting to access the locked bait file is a malware process, wherein the access attempt includes an attempt to remove a lock on the bait file or kill the bait process; and performing a protection operation on the malware process. 11. The non-transitory storage medium of claim 10 , further comprising creating the bait file in the storage system. 12. The non-transitory storage medium of claim 11 , further comprising locking the bait file in the storage system by a locking process. 13. The non-transitory storage medium of claim 10 , further comprising detecting the access attempt by a malware detection engine operating in a kernel space of the computing system. 14. The non-transitory storage medium of claim 10 , wherein the protection operation comprises blocking the process. 15. The non-transitory storage medium of claim 10 , wherein the protection operation comprises terminating the process. 16. The non-transitory storage medium of claim 10 , wherein the protection operation comprises generating an infected snapshot and allowing the process to operating operate in a forensic environment, wherein the process is blocked in the computing system. 17. The non-transitory storage medium of claim 10 , wherein the access attempt comprises accessing the bait file by any process other than the bait process or interfering with the bait process. 18. The non-transitory storage medium of claim 10 , further comprising configuring the bait file or attributes of the bait file such that the bait file appears valuable in the computing system to cause the process to perform the access attempt.