Ransomware detection and intelligent restore

What is claimed is: 1 . A computer-implemented method for detecting file activity anomalies, the method comprising: causing a copy of primary data associated with a client computing device to be stored in one or more secondary storage devices as part of secondary data associated with the client computing device; detecting a file activity anomaly based at least on one or more file system operations performed on the client computing device satisfying one or more threshold conditions associated with the client computing device; storing timestamp information associated with the one or more file system operations; in response to detecting the file activity anomaly, restoring, based at least on the timestamp information, at least some of the secondary data stored in the one or more computing devices onto one or more primary storage devices associated with the client computing device; and outputting a notification indicating at least the file activity anomaly. 2 . The computer-implemented method of claim 1 , further comprising: monitoring file system operations performed on the client computing device over a specific time period; determining a baseline count of file system operations performed on the client computing device over the specific time period; and determining, based at least on the baseline count, at least one threshold condition of the one or more threshold conditions. 3 . The computer-implemented method of claim 2 , wherein the baseline count is an average number of file system operations performed on the client computing device for each sub-period of a plurality of sub-periods within the specific time period. 4 . The computer-implemented method of claim 2 , further comprising determining the at least one threshold condition at least by multiplying the baseline count with a predetermined percentage value, wherein the predetermined percentage value is greater than 100 percent. 5 . The computer-implemented method of claim 2 , further comprising periodically determining whether a current count of file system operations satisfies the one or more threshold conditions for each of a plurality of time periods subsequent to the specific time period and each having a same length as the specific time period. 6 . The computer-implemented method of claim 1 , wherein the one or more file system operations comprise at least one of write operations, create operations, rename operations, or delete operations. 7 . The computer-implemented method of claim 1 , wherein the timestamp information specifies a first time at which a file system operation of the one or more file system operations that is performed earliest out of all of the one or more file system operations is performed. 8 . The computer-implemented method of claim 1 , wherein the timestamp information specifies a first time that precedes a second time at which a file system operation of the one or more file system operations that is performed earliest out of all of the one or more file system operations is performed. 9 . The computer-implemented method of claim 8 , further comprising restoring a portion of the secondary data that was created at or prior to the first time specified by the timestamp information and not restoring another portion of the secondary data that was created after the first time specified by the timestamp information. 10 . The computer-implemented method of claim 1 , further comprising, prior to restoring the secondary data in response to detecting the file activity anomaly, determining an indication of an input by a user of the client computing device for confirming the detection of the file activity anomaly. 11 . A system for detecting file activity anomalies, the system comprising: a client computing device comprising computer hardware and configured to perform one or more file system operations within a file system residing on the client computing device; and one or more secondary storage devices comprising computer hardware and configured to store secondary data associated with the client computing device, wherein the secondary data is a copy of primary data stored on one or more primary storage devices associated with the client computing device, wherein the client computing device configured to: detect a file activity anomaly based at least on the one or more file system operations satisfying one or more threshold conditions associated with the client computing device; store timestamp information associated with the one or more file system operations; in response to detecting the file activity anomaly, restore, based at least on the timestamp information, at least some of the secondary data stored in the one or more computing devices onto one or more primary storage devices associated with the client computing device; and output a notification indicating at least the file activity anomaly. 12 . The system of claim 11 , wherein the client computing device is further configured to: monitor file system operations performed on the client computing device over a second time period preceding the first time period; determine a baseline count of file system operations performed on the client computing device over the second time period; and determine, based at least on the baseline count, the threshold value for disabling the one or more data protection operations. 13 . The system of claim 12 , wherein the baseline count is an average number of file system operations performed on the client computing device for each sub-period of a plurality of sub-periods within the second time period. 14 . The system of claim 12 , wherein the client computing device is further configured to determine the threshold value by multiplying the baseline count with a predetermined percentage value, wherein the predetermined percentage value is greater than 100 percent. 15 . The system of claim 12 , wherein the client computing device is further configured to periodically determine whether a current count of file system operations satisfies the one or more threshold conditions for each of a plurality of time periods subsequent to the specific time period and each having a same length as the specific time period. 16 . The system of claim 11 , wherein the one or more file system operations comprise at least one of write operations, create operations, rename operations, or delete operations. 17 . The system of claim 11 , wherein the timestamp information specifies a first time at which a file system operation of the one or more file system operations that is performed earliest out of all of the one or more file system operations is performed. 18 . The system of claim 11 , wherein the timestamp information specifies a first time that precedes a second time at which a file system operation of the one or more file system operations that is performed earliest out of all of the one or more file system operations is performed. 19 . The system of claim 18 , wherein the client computing device is further configured to restore a portion of the secondary data that was created at or prior to the first time specified by the timestamp information and not restoring another portion of the secondary data that was created after the first time specified by the timestamp information. 20 . The system of claim 11 , wherein the client computing device is further configured to, prior to restoring the secondary data in response to detecting the file activity anomaly, determining an indication of an input by a user of the client computing device