At this stage, I'm surprised there isn't a product looks out for a tell-tale sign that a ransomware attack is in progress.
For example, if an attempt is made to overwrite a .docx, .jpg, mp3, etc., these writes are diverted to a cache similar to how Windows SteadyState worked. To the user, it appears as if the files are overwritten as normal. A similar process could be done for file deletions where the deleted files are discreetly kept especially if the files being deleted have just been read with a similar disk write activity rate taking place also.
If a certain threshold of certain files are overwritten/deleted in a short space of time (e.g. 100+ mp4, doc(x), mp3, etc. files), then pause disk access activity for the affected process and display a question something like "Have you just deleted or made changes to the files such as (list of last 5 files edited)?".
If the user answers 'No', the process responsible for modifying the files is terminated, the contents of the cache is discarded and the product displays a warning about a suspect ransomware attack and advice what to do.
If nothing suspicious is happening such as less than than the threshold of files overwritten within a day, then the contents of the cache is committed, i.e. the original files are overwritten, like a commit with Windows SteadyState.
Generally the only time a false alarm would trigger would be if the user tries using a shredder type app to intentionally destroy a few hundred files, in which case they would just click 'Yes'. Some file types could be have higher thresholds such as 1000 for .jpg to allow for batch resizing of JPEGs where the original images are overwritten without triggering a false alarm.
Of course there would be niggles to workout also such as how such a product would cope with low disk space and potential performance issues.