Check file type changes to help stop Ramsonware
Trace file type change.
This would help with Ramsonware.
They change the file type from eg. Excel file type to something else due to encryption and they do it on several files within a short period of time.

-
The Rename event includes changes to extensions. Directory Monitor is already very good at detecting and reacting to changes made by ransomware.
Please refer to the following idea: https://deventerprise.uservoice.com/forums/198724-general/suggestions/32745115-cryptolocker-ransomware
You can also check out this blog entry showing you how to configure things to stop ransomware: https://moonly.eu/enhance-your-security-against-ransomware-with-directory-monitor/