This detection rule is designed to identify potential ransomware activity on Linux systems by monitoring sequences of file rename and creation events executed by the same process within a one-second timespan. The rule specifically looks for mass file encryption actions followed by the creation of a text file with names that include ransomware-related keywords such as 'restore', 'lock', 'recovery', 'instruction', 'how_to', and 'ransom'. Ransomware typically encrypts a large number of files and then generates a ransom note to demand payment in exchange for the decryption key. This rule monitors critical directories where user files are commonly stored, while excluding benign processes to reduce false positives. In case of an alert, the investigation process involves reviewing the associated process and file paths to determine the legitimacy of the actions taken, thereby identifying potential ransomware incidents during their early stages.