As far as I understand the way Evernote works, its main vulnerability to ransomware is the local cached files it keeps on the PC where it is installed, which ransomware could possibly encrypt and a sync could corrupt the data in the Evernote cloud. If used strictly as a cloud service, especially with 2 factor authentication, I believe that a local attack of ransomeware on a PC can't touch the Evernote data in the cloud. This is contrary to the way cloud file storage services work, which the ransomware can see as a local folder and the contagion it creates gets automatically uploaded to the cloud and back down to all other connected devices.
A possible way Evernote can deal with the threat of ransomware is to offer a "non-cached" mode of operation. Maybe such a thing already exists and I would be grateful to be told about it. Basically, in this mode of operation the responsiveness of Evernote would be totally entrusted to the speed the user's network link. As bandwidth is constantly increasing, it should be less of a problem going forward. Every item the user touches would be dowloaded on the fly. If modified, it would be synced there and then. If unmodified, it would immediately be deleted from the local cache (with an optional automatic shred option).
Since the data stored in Evernote is only accessible via the Evernote application and not as files in a local cloud service folder, it would have to be pretty clever ransomware to operate the app, touch, dowload, encrypt and re-sync every note - basically a non-option.