This is not a theoretical question -- many types of ransomware will go onto network mounts, network shares, and network drives and ransom those locations too. macOS ransomware has been known to disable/delete Time Machine backups as well.
There are a few things you can do:
- Some NAS systems like FreeNAS have the ability to take periodic rolling snapshots. Snapshots allow you to revert and restore files that have been modified and require logging in via SSH to gain access to manipulate the snapshots themselves, so simply deleting files via SMB will not delete your contents. I have mine configured to take hourly snapshots that last 1 week (for mistakes I quickly catch), then weekly snapshots that last 6 months (in case ransomware slowly destroys my data before I can realize it)
- Configure write-only dropboxes or other privileged areas that the normal login cannot access. Periodically move your backups onto there.
- Never let a password manager auto-save the administrative credentials for either the privileged user via SMB or the web admin console username/password, to prevent ransomware from being able to extract it.
Finally, don't forget that a NAS isn't an end-all solution to your backup/storage needs. Your NAS could catch on fire, or suffer too many disk failures to recover via RAID. Or it could have some horrible horrible bug that eats all your data. If you cannot afford to lose the data on your NAS, you must have some sort of backup strategy for it too, which also in turn could be part of your ransomware defense strategy.