 This is a short introduction to decoyFS, a new file system developed at IBM Research for securing data at risk and preventing data theft and corruption attacks. To start, let's briefly talk about what motivated us to develop decoyFS. When we look at a commodity file system today, we see that they often show a single monolithic view of directories and files to all users and application processes also known as subjects. This means that file systems are easily exploitable by malicious subjects such as ransomware and other forms of malware. For example, they can encrypt and hold our data for ransom, modify or delete critical information and steal sensitive files. Notice that conventional file system protections like access control lists cannot fully prevent such attacks. To break this cycle, we realize that most genuine subjects only require access to directories, files and file types relevant to their work and do not need to know about all other files on the system. DecoyFS embraces this insight by transparently stacking multiple file system layers. These layers are called overlays and can be fully controlled in order to create customized views of the file system for every subject individually. DecoyFS offers three main controls when creating a customized view. First, it can hide files from being available to a subject. For example, it can only show the files required to accomplish a task for a given subject. Second, it can inject new files or replace or redact existing files with baits in order to lure subjects to interact with seemingly real files, all while maintaining a consistent view of the file system to a subject. And third, DecoyFS protects the base file system by intercepting white operations and redirecting them to its intermediate overlays. This allows DecoyFS to protect the base file system and resist data corruption and ransomware attacks. The controls of the DecoyFS overlays are informed by in-depth monitoring, analytics and security domain model along with policies. The overlays, which are maintained for every subject individually, offer customized views as well as a perfect blueprint from which to mine indicators of compromise and trigger alerts. Let's look at the decoy file system in action. This is a desktop environment using DecoyFS. In this demo, we show two different file browsers. The green file browser to the left is trusted, while the red file browser is untrusted. Notice that both browsers see the same file system structure, and up to this point, there are no apparent differences between them. So, a genuine user can open a sensitive file and inspect its contents normally. However, when an attacker attempts to open the same file, he's instead presented with different contents. Meanwhile, the file system records all the forensic marks left by the unauthorized file access in the overlay. Now, what would happen if a piece of real malware was executed on this machine? To answer this question, we will execute the Arribis ransomware. This ransomware infected thousands of websites hosted by a South Korean web hosting company in 2017 and resulted in over $1 million paid to recover data encrypted by the malware. When executed on the system protected by DecoyFS, the ransomware is presented with its isolated view of the file system. The ransomware encrypts all the relevant files it finds. While it appears to the malware that it was able to accomplish its mission, in reality, all modifications are confined to its very own view of the file system without affecting legitimate users, as we can see by looking at the green file browser to the left. DecoyFS was able to effectively deceive Arribis into disclosing its full behavior without posing any harm to the actual file system and user data.