First to say: I know I need a backup and I have one of course but my question isn't about the safety of the data but about how to reduce the possible time that is needed to restore data.
I'm already limiting the write access of all users as far as I can to prevent a situation where one infected host will be able to encrypt all data in the worst case. Also it is relatively unlikely that the fileserver itself gets infected because the only service accessible from the workstations are the SMB shares.
What I would like to have is a way to detect malicious behavior and prevent further if possible. For example when a client opens and changes files rapidly in a systematic way wouldn't this be a clear sign of ransomeware and isn't there a way to prevent this?