You should Always password protect the backup share with an account that only you and veeam B&R knows. I even do it this way at home.
Yeah, that's nice and all, but if Veeam is running on a Windows server in your domain and the malware can get to it with a properly credentialed account, it can read the veeam configuration and hose you anyway. Or even if it isn't on your domain, it could key log that information. In fact, even if your NAS has snapshot features, any kind of key logger that sits on an admin's system long enough will get credentials for that too and could wipe out your snapshots.
So: multiple online backups of any kind, even geographically dispersed, aren't going to help much.
Unfortunately, the best solution to this particular threat that I can see is rotating offline backups at a frequent interval, which is a pretty expensive, if not impossible, solution for those of us who have several terabytes of data per backup. Even that probably won't be safe for long, as attackers get more sophisticated it is entirely possible that they could subtly corrupt all backups over time until they are confident you have no good ones, or any good ones are too old to be very useful so you'll likely pay the ransom anyway. Of course, if you're testing backups frequently like you're supposed to, you might catch it in time, maybe. If they're corrupting the backups, they could potentially just corrupt certain parts of the backup instead, making it seem as though the target was restored properly when in reality the database data inside it is useless, for instance; though I admit that is pretty out there as far as probabilities go.
As much as I hate to say it, there are a lot of situations in this area where (probability * cost of problem) < (cost to fix problem), and I don't see that ever getting better.
It might be more worthwhile to try and eliminate the problem from the other end, that is, prevent ransomware in the first place. Hard as that is, there are some relatively easy steps that can help:
If you have Exchange or some similar product, you can create rules that match common phrases or dangerous words and attachments and force those emails to be read and approved for delivery by an administrator*. Oddly, Microsoft did not see fit to include a way in Exchange to filter for Office documents that contain macros, so unfortunately you have to assume ALL pre-2007 document formats contain macros. Worse, Office will happily open an *.RTF file that is, in fact, a Word file with a macro. If at all possible, you should probably just disable macro execution entirely in Office and apply that policy globally. I know, right? Good luck selling that to management.
(*From experience I can assure you that this gets tedious in a hurry, and worse, the fact that it is so tedious inclines whoever is approving messages to get lazy about it, defeating the purpose. It will never be perfect, but with enough tuning it can be worth the effort.)
Another strategy is to implement FSRM (File Server Resource Manager) on your Windows file servers to take action automatically in certain circumstances. For instance, my own implementation monitors for known file extensions of ransomware variants and runs a script when one is detected. This script emails the administrators and puts a deny entry for the offending user on all shares. Another similar policy monitors canary files placed strategically throughout the share drives for modification and performs the same lockout (note: this uses a scheduled task, not FSRM).
Of course, in an ideal world, we could Whitelist executables by hash using Software Restriction Policies. If you work in an environment where this is something you can actually get away with, then please tell me because I want a job that easy.
It seems to me that the future of IT is going to be decided soon because of Ransomware. Are we going to start taking security seriously as an industry, or are we going to continue blundering forward in a world where convenience almost always wins out and just start paying for Ransomware insurance the same way you pay for K&R insurance in some countries?
.