AI-generated virtual file honeypots for computing systems behavior-based protection against ransomware attacks

The invention claimed is: 1 . A method for automatic generation of virtual file honeypots (VFHs) for protecting a target computing system (CS) against ransomware attacks using an artificial intelligence (AI) device, the method comprising: pretraining a generative machine-learning device comprising a large language model (LLM) to generate VFHs for specific ransomware families and characteristic activities, wherein the pretraining comprises: collecting a pretraining training dataset from threat-intelligence sources of ransomware data, wherein ransomware data comprises data specific to a ransomware family, extracting features from the training dataset using natural language processing (NLP), and categorizing the pretraining dataset based on ransomware families; monitoring an operation of the CS; determining whether the operation comprises suspicious activity according to a policy; identifying a suspect actor associated with the suspicious activity; collecting behavior information and characteristics of the suspect actor; identifying a predicted ransomware family based on the operation comprising suspicious activity; configuring VFH properties based on the predicted ransomware family and the collected behavior information and characteristics of the suspect actor; and generating a plurality of VFHs according to the configured VFH properties using the generative machine-learning device. 2 . The method of claim 1 , wherein identifying a predicted ransomware family is further based on the identified suspect actor. 3 . The method of claim 1 , wherein the pretraining dataset further comprises leaked data associated with known ransomware attacks. 4 . The method of claim 1 , wherein the pretraining dataset further comprises historical ransomware data of the CS. 5 . The method of claim 1 , wherein the characteristics include a certificate, a hash of a file, a binary file, or a reputation. 6 . The method of claim 1 , further comprising: identifying a process, or an injected thread in a trusted process, created by the suspect actor on the CS; providing the process, or the injected thread in a trusted process, with the plurality of generated VFHs; and detecting the suspect actor as a source of malware by performing a heuristic analysis. 7 . The method of claim 1 , further comprising implementing a partial update of the pretraining dataset with: updated ransomware data collected from threat-intelligence sources; data collected by crawlers; and data from the target CS. 8 . The method of claim 1 , wherein pretraining the LLM to generate VFHs further comprises performing testing scenarios, including: generating a test VFH using the generative machine-learning device for a test case, corresponding to a known ransomware and corresponding known ransomware family, test behavior information and test characteristics of a test suspect actor; executing the known ransomware in an isolated environment; providing a process of the known ransomware with the test VFHs; detecting the known ransomware by performing a heuristic analysis; generating a feedback loop about the VFHs for retraining the generative machine-learning device; and retraining the generative machine-learning device based on the known ransomware family, the test behavior information, the test characteristics of the test suspect actor, and the feedback loop. 9 . The method of claim 1 , further comprising dynamically updating the predicted ransomware family for the suspect actor identification based on an analysis of current CS operations and the behavior of the potentially malicious actor. 10 . The method of claim 1 , further comprising generating a feedback loop for a generated VFH, wherein the feedback loop comprises confirmed malware detections, a predicted ransomware family, behavior information, and characteristics of the potentially malicious actor for retraining of the generative machine-learning module. 11 . The method of claim 1 , wherein identifying the predicted ransomware family comprises: matching suspect actor operations using the generative machine learning device applied to operations of the known ransomware families; analyzing static features of program code associated with the suspect actor operations; or analyzing Windows Portable Executables (PE) using a PE-machine learning model trained based on known ransomware to determine a ransomware family. 12 . The method of claim 1 , further comprising validating the generated VFHs against predefined criteria associated with a specific ransomware family, wherein the predefined criteria include file format, file size, file content, or file structure. 13 . The method of claim 1 , further comprising initiating a security action based on a detected malware, wherein the security action generates an alert to a user of the CS and provides the user of the CS with detection results, wherein the detection results comprise: an indication of the potentially malicious actor as malware injection; suspending the injected thread created by the malware injection; terminating the injected thread created by the malware injection; or performing CS recovery based on an existing snapshot, wherein the CS recovery does not include any of the plurality of generated VFHs. 14 . A system for automatic generation of virtual file honeypots (VFHs) for protecting a target computing system (CS) comprising user space and kernel space against ransomware attacks using an artificial intelligence (AI) device, the system comprising: a pretrained generative AI device coupled to a processor and a storage medium comprising a large language model (LLM) to generate VFHs for specific ransomware families and characteristic activities, wherein the pretrained generative AI device is pretrained by: collecting a pretraining training dataset from threat-intelligence sources of ransomware data, wherein ransomware data comprises data specific to a ransomware family, extracting features from the training dataset using natural language processing (NLP), and categorizing the pretraining dataset based on ransomware families; a virtual honeypot driver, operating in kernel space and in communication with the AI device, configured for: monitoring an operation of the CS and determining whether the operation comprises suspicious activity according to a policy, identifying a suspect actor associated with the suspicious activity, collecting behavior information and characteristics of the suspect actor, identifying a predicted ransomware family based on the operation comprising suspicious activity, configuring, by the AI device, VFH properties based on the predicted ransomware family and the collected behavior information and characteristics of the suspect actor, and Generating, by the AI device, a plurality of VFHs according to the configured VFH properties using the generative machine-learning device; a filesystem comprising a plurality of files in user space; and a plurality of VFHs created by the virtual honeypot driver and configured to mimic targets of the predicted ransomware family. 15 . The system of claim 14 , wherein identifying a predicted ransomware family is further based on the identified suspect actor. 16 . The system of claim 14 , wherein the pretraining dataset further comprises leaked data associated with known ransomware attacks. 17 . The system of claim 14 , wherein the pretraining dataset further comprises historical ransomware data of the CS. 18 . The system of claim 14 , wherein the characteristics includ