All these things must be run as root on a btrfs filesystem.
First, create the working path:
mkdir -p /path/to/data/snaps
Then create a subvolume:
btrfs su create /path/to/data/current
This last path is where you and your lusers will save your crap (of course, remember to set appropriate permissions and ownerships; it works mostly as a regular directory).
Then, from a crontab or similar, run this:
btrfs su snapshot -r /path/to/data/current /path/to/data/snaps/$(date "+%Y%m%d")
And that's all. If/when the intruders encrypt your data and ask for a ransom, you still have pristine copies inside the snapshots. Not even root can modify these files, they are pure read-only; the only thing that can be done with the snapshots is to delete them, which you should do a periodical basis.
If Jeff Bezos got a nickel every time I misspell 'snapshot' as 'snaphost', he would be rich by now.
If you found this post useful, you may buy Ángel a coffee.