Thank you for posting your query in Microsoft Q&A.
There is a default policy template using which you can track "Potential ransomware activities".
This policy is used to generates an alert when a user uploads files to the cloud that might be infected with ransomware.
There are some default extensions defined in the policy as below,
You can add new extensions as well.
You can refer below article for this.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.