These are all good ideas. It seems to me part of the problem with these ransom attacks is the intruders aren't pouncing the minute they get inside the victim's network. They take their time, figure out where everything is (including backups) and then only force-spread the ransom malware after they have staged everything just-so.
