This is a great question. It takes some time for the ransomware script to encrypt everything, so it is possible that you catch it in the middle of the encryption but not before it reaches the canary.

You could put hard links to your canary in all of the crucial locations, I suppose.

Or you could use rsnapshot on the destination side and freeze the backup schedule if something looks amiss.