<blockquote>Also a good argument for frequently testing such things, as a ransomware operator who recognizes that you have cold backups might hit some of those first</blockquote>
Except ransomware can "hit some of those" in a way that they will still verify and restore and run just fine... right up until you hit a certain date when the self encryption locks down.
The real answer is host based intrusion detection systems. You do have Tripwire / Samhain, etc., installed and running reports at least weekly on all your servers, don't you? Required by PCI-DSS if you're handling credit cards, and an excellent idea on all other servers, too. Tells you when your files get silently damaged by corrupt hardware or misbehaving software, even without malevolent intruders.