Encryption virus prevention.

Ransomware should not be a threat if

-you have current backups that are not accessible to accounts that might start ransomware
-your users may only write to a limited number of folders and not everywhere
-you have application whitelisting in place ("what application may write where" / "what application may be run at all")

I like Software Restriction Policy the best.
Set it, forget it. (Needs to white list a program now and then).

I'm just kidding, I let the PC's report back, and then I get real time alerts on my phone. I send serious emails back to each user who logged an unsuccessful attempt (either the antivirus reported it, or the SRP, in both cases, it's stopped. Still need to continuously hammer the user though)

User education should always be top nr 1 (usually helps about 95%), but sadly, it's human nature/curiosity that's defeating the purpose (the other 5% that never learns).

The mechanism for preventing ransomware is to prohibit opening files from any one of the gazillion temp folders used by Windows.  If you are running an updated version of Windows 10, those protections are now built in.  If it's an older O/S, cryptoprevent is one of the original utilities which adds the restrictions; but, be warned about any solution, you will get a ton of calls when users cannot open email attachments of any kind.  Since the mechanism has generally been to open the attachment (PDF, zip, XLS, DOC, etc.) containing the machine language encryptor, user education is still the best approach combined with keeping the PCs updated and having good backups.

As mentioned above .......
CRYPTOPREVENT @ $15 per annum is very good value and very effective,
if set to custom/maximum with the Honeypot activated. Make sure system & hidden files,
are not visible otherwise your desktop will be cluttered with honeypot files.

Use it's whitelisting feature to allow wanted apps through the maximum protection setting.
(There is a new feature, which I have yet to try, to CRC check whitelisted apps)
=======================================================================
Controlled Folder Access (Win 10)

100% prevent might be utopian... You can reduce the risk
Technical:
1)  Reduce spam  -- That will also prevent delivery of a lot of mails that are mostly the cause of this
2) Check all mail using Antivirus
3) Prevent write access to places it is not needed (archive readonly, only one normally offline account to move data).
4) Have OFF-LINE backups. Tapes (of not accessible from the users) are excelent.
5) Versioned filesystems are also very useful as they keep the originals in good order.
Personnel Education:
1) Do not randomly click open any mail
2) Do not use unknown USB sticks (or use measure to only accept known encrypted scripts).
3) Think about actions.... and possible consequences.

What McKnife and noci said.

Prevention is never 100% due to the Day Zero issue, no matter how strictly the system is locked down.  Do what you can to prevent it, but always have full air-gapped backups ready for use.

As a side note, do drills from time to time proving that you can reimage every system from its backups.  After an infection is no time to discover that the recovery process requires one of the servers to be up, or there is no cloud access, or the cloud key was stored on an infected server, or ...

I've been playing with neushield and it seems to be a very good product for recovering from ransomware. All writes to to a shielded area and the default is to commit writes after the shielded file is 24 hours old.  A one click restore of data files that is extremely fast $39-$19 per year per user

Thanks for all the comments experts.  I am looking them over and hopefully can make some changes to prevent another attack.

Tell them to use VMWare to install stuff first to check. Or Comodo Sandbox.