What's the best way to protect a network against ransomware?

Have a physically separate network for the backups, with a data diode isolating it from production. Daily incremental backups. Weekly complete backups. If you can possibly afford it, never erase a backup.

Also, every quarter or so, schedule an outage, clone the hard drives in the servers to new drives, put the old ones in storage, and run from the clones.

If you have critical hardware that is running some old OS and can't be upgraded, put it on a physically separate network, and data diode, and push those backups out as well.

Test the hell out of those backups, restore something from them at least once a quarter, if not more often.

Start investigating capability based security and operating systems that support that model.

Most ransomware attacks involve windows domains. The chain of events is usually: land a beach head (perimeter vuln or phishing), find domain admin with bloodhound or similar, steal domain admin creds with mimikatz or similar, encrypt everything.

There's multiple points in that chain to address. You'll get the most leverage by reducing domain admin population size through privileged access management.

Tool to help understand the problem: https://github.com/ericalexanderorg/easyhound

Have good off-site off-line backups.

Train people not to click on random links.

Have a good intrusion detection system.

The weakest link is always human. Dealing what that should be paramount to solve that problem.