Backups should always be in 3 (or more) copies, ALWAYS. One copy on-premise for quick restores, another copy on offline tape on-premise, one more copy in the cloud. It’s a good idea to also keep a snapshot of the virtual machines of the servers before and after each update or install.
It used to be 2 copies (one tape on-site, and one tape off-site or at the bank) was good enough, but with these ransomwares the more redundancy you have the better. Also, do not be too quick to rush to come back online. Before you bring the servers back online, you have to make sure you have identified and corrected the vulnerability. If you cannot figure out how anyone got in, DO NOT restore the server backup, “nuke it from orbit”, rebuild it from a base image and apply all patches and updates, then restore your databases only.
User executables and archive files and (if using an on-premise email server) all email attachments should be wiped on restore, and only restored on specific demand, and ideally all email messages on the on-premise email server should be converted to text only. This is where a web or SaaS setup shines. You don’t have to run around all the client PCs, you can concentrate your efforts on just a few servers instead.