IMO Patching is required when vulnerabilities are discovered and the software developer issues patches to remedy them. In this sense, patching can be consider as reactive or preventive depending on whether the user has been hit by ransomware. If you are hit by ransonware and then you patch your system after that then it's a reactive action. If you have NOT been hit by ransomware and you patch your system then it's a preventive action. As for backup solution it is not a preventive action but a recovery action after something has happened. Backup has its own caveats like what if you backup files/system which has a dormant malware in them? Or what if the backup is corrupted? Do you know which backup is the one you want? And what if the new version of the backup/restore software cannot restore the old backups (by an earlier version of the same software)
