The invention relates to a ransomware defense method and system. The method comprises the following steps that 1, overall hooking is performed on an API which must be called by ransomware in the kernel mode or the user mode of an operation system; 2, finite segment cheating data is generated and deployed; 3, when a process is subjected to file traversal operation, a certain amount of cheating datais inserted into the traversal result and returned back to the process so as to cheat the process; 4, when the API obtained after overall hooking finds that the process operates the cheating data, whether the cheating data is abnormally changes or not is monitored so that whether the process is a malicious act of the ransomware or not is determined; 5, if the process is the malicious act of the ransomware, the process is ended and the user is informed. Under the condition of low consumption and zero loss, real-time detection and termination can be performed on the process of the ransomware, and users' and enterprises' data and property safety are protected.