The number of victims suffering from crypto ransomware is increasing. Thus far, methods for detecting ransomware when it accesses target files or when it uses encrypting APIs, have been studied. However, the former method assumes it will be operated within an analysis sandbox, and the latter method can be avoided if the ransomware uses its encrypting functions. To protect users, it is necessary to meet the following two requirements: (i) The ransomware must be detected in the user’s real-time environment, and (ii) it should be difficult for the ransomware to avoid detection. We propose a detection method that satisfies both requirements by using human file-operating characteristics as a whitelist. In this paper, we evaluate the effectiveness of our prototype method, which inspects the consistency between the displayed documents and the user’s file operations.