This detection rule aims to identify suspicious activity related to file renaming operations, particularly focusing on files that are renamed with uncommon double extensions, which is often a tactic used by ransomware to obscure the encrypted files. The rule specifically examines actions where the source filenames have common document or media file extensions such as .docx, .jpg, .pdf, etc., and where the target filenames contain or end with unexpected double extensions like ".doc.crypted" or ".jpg.locky". The behavior is defined using conditions that filter out certain renaming patterns that are typical for backup operations or known software, thereby isolating genuine ransomware activity from benign operations. The rule includes specific exclusion filters for backup-related extensions and certain paths associated with the Anaconda software to minimize false positives, thus ensuring a more accurate detection of potential ransomware incidents. This rule is particularly relevant for Windows environments and leverages data from file rename events, making it essential for monitoring file integrity and system security.