To be more precise, ZFS snapshots are mostly just a timestamp reference, similar to how a git commit is just a reference to a git object. Writes don't change the value of the files in the snapshot because they're stored in new places rather than overwriting the existing files on disk.
These are all good ideas. It seems to me part of the problem with these ransom attacks is the intruders aren't pouncing the minute they get inside the victim's network. They take their time, figure out where everything is (including backups) and then only force-spread the ransom malware after they have staged everything just-so.
https://blogs.oracle.com/ahrens/is-it-magic