Ransomware is still malware IMO. Put the conflict of interest aside, if current approach to detect malware does not change, no matter how hard we try, we will still be one step behind.
If we can keep the system up to date, configure the user privileges to lowest possible and grant access only when necessary, take backups as frequently as possible, segregate sensitive networks and most importantly educate the users not to run programs from suspicious sources, most if not all ransomware incident will not happen at all.
The approach I am taking is background sync of all user-created data into git with automatic one-way replication not accessible through SMB. Git has plenty of tools to manage that and I simply automate all this without exposing the user to the commit process. That way I can just reimage the machine and replicate undamaged data back onto it. The problem is detecting data exfiltration and I don't have a solution for that yet.
If we can keep the system up to date, configure the user privileges to lowest possible and grant access only when necessary, take backups as frequently as possible, segregate sensitive networks and most importantly educate the users not to run programs from suspicious sources, most if not all ransomware incident will not happen at all.