A customer had data loss once, the only thing microsoft will give you is a discount certificate for your O365 billing, I believe it had a worth of 100 dollars. Microsoft does not deliver restore possibilities, you are responsible for your own data according to the small print in the contract.
Regarding ransomware, this is possible as for instance an user which has infected files uploads it to the cloud, depending on the ransomware it can spread using the account needed for that O365 environment, other environments are not affected as there is a different account needed to access that storage section.
Backing up to on-premise will do fine for mail via EWS method, but sharepoint and onedrive are debatable, currently I have a customer who cannot backup the last two with more than 3.5 GB/hr. So I would make a full backup at the implementation of O365 and then perform an incremental forever strategy to keep the delta's as small as possible.
Senior Technical Consultant