Enterprise communication networks are rapidly evolving to keep up with workplace changes and technological advances. Traditionally, enterprises have performed perimeter-based defense against external attacks by installing security systems at the perimeter of the enterprise network for business purposes. In the past, the boundaries between the enterprise network and the external network were clear. As a result, traditional perimeter-based approaches proved effective; however, these approaches have limited ability to effectively detect the attackers who have crossed the perimeter and entered the trust zone. To overcome the limitation of inability to detect an attacker inside the trusted zone, we propose to detect anomalous behavior by blocking regions of the file system. This allows one to quickly detect when an attacker is moving laterally in the trust zone, stealing or compromising information resources. If anomalous behavior such as file encryption occurs in an area block of the file system, the event is analyzed to detect ransomware. The experiments were conducted on real business files in a virtualized environment and a prototype was implemented to detect anomalies caused by the appearance of ransomware malware.