We got hit with ransomware years ago and implementedThird Tier's CryptoCanary setup on our file servers as soon as we found it. We've been blessed to not get hit by any rw since then, but we get a bit of false positives due to our AV (Cylance) rewriting files as it checks things from time to time (probably 5-6 times a year?). It rewrites the files temporarily to the C:\temp directory, so I obviously can't whitelist that entire folder, and I can't change to where it does it's rewriting to. Our file servers that run this are physical servers, so it would be nice not to hard shut them off if there's a more graceful/better way to go about things.
Shutting down the server may be the only thing to do, but I was thinking a few things...
Providing that backups work, I was thinking to run a command to instead just disable the NICs on the servers...