The idea behind this is simple- if we find out files are being changed quickly, we can still make steps to save much of valuable data from ransomware infection.
That’s why we create a “honeypot” with files likely to be encrypted by ransomware. On windows those have following extensions: doc, docx, jpg, png, xls, xlsx and txt. These files are made with a random content and placed to easily reachable places (meaning not buried deeply in directory structure). Also a ransomware usually goes through the file system structure in alphabetical order, so c:\afile\ would be likely to hit sooner than c:\wrong\dang\files\honeypot\something.
Anyway, now we have the honeypot files, we need to watch over them and as soon as they are changed send alert, disconnect network to prevent further infection or shutdown the computer.
We can solve this completely within a windows batch file with windows utilities involved (certutil.exe for generating md5 hashes and fc.exe for comparing them). A simple task in windows task scheduler runs the .bat in short intervals making the job done.
If you are interested, I am willing to explain more or even sell the code along with documentation.
I have also such application written in C# which runs in background- so no need to use task scheduler- so the emergency action happens immediately when files are enrypted.