Ransomware works by going through files, one by one, and replacing their content with an encrypted version. (Sometimes it also sends copies elsewhere, but that turns out to be slow, and sometimes sets off alarms.) Software on Microsoft Windows uses an application programming interface (API) called "CreateFile" to access files. Somewhat confusingly, CreateFile not only creates files but is also the primary way to open them.
Microsoft should rate-limit the CreateFile() API. That is to say, it should limit how often a given program can use the API. Because you can't encrypt a file until you can open it, this would have a dramatic impact on ransomware. It would slow it down, and help defensive tools catch it in time for humans to react. Now, I say Microsoft should do this, and I hope it does.
The first question is, what rate is reasonable? Pick low and you break applications; pick high and you lessen the protective value. For a lot of cases, one open per second seems fine, but when we get to things like compilers, which are going to open a lot of files, we see that we may need both a general limit and allow bursts. When we get to backup software, it gets even more complicated. The backup software needs to open all the files, or at least all the changed files, which, if you think about it, is really similar to what ransomware wants to do. We can't allow an exception for read-only opens. The ransomware will open a file, encrypt the contents, write it to a new file or append it to a database, and delete the original.