Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

Ryuk

Ransomware distributed via existing botnets, often Trickbot or Emotet.

Deletes shadow copies

Ransomware often targets backup files to inhibit system recovery.

Executes dropped EXE

Modifies extensions of user files

Ransomware generally changes the extension on encrypted files.