In no particular order of importance, do ALL of them...
Make some real firewall rules - DON'T just leave the default allow-any-outbound rules - ONLY allow traffic outbound on ports that you actually use/need, Example for DCs: 53,80,123,443,3544 Example for End-Users: 80,443,1935,3544
CryptoPrevent or some other Group Policy based software run restrictions - don't let any executable run from a temp location.
An end-user should never be a local admin. Admit it, you did this once-upon-a-time only cause you were tired/lazy and didn't take the time to set the permissions right on something.
Automatically remove all shares if/when the encryption starts to happen, see example here This can also be setup to email you the moment it happens, the filename, and the user who did it.
Use an Internet filter to block all the ccTLD's and IDN's your company doesn't really need - also block the known bad/malware domains - better yet also block advertisements (the source of much badware) - we use DNS Redirector, it's great and it doesn't cost a fortune.
Prevent access to any URL with an IP in it - only bad guys do links like http://93.184.216.34 - everything else should be a DNS name like http://example.com and therefore a DNS lookup (which is filtered) before getting out to the Internet.
User training: re-enforce that users should not click on things that look phishy, are spelled wrong, or they were not expecting - even if the email looks like it's someone they know. Provide a contest for the "crappiest email of the week/month" employee's should forward (or perhaps safer to print and submit them) and then IT picks the winner of a free [insert something more valuable than a bouncy-ball here] You can also do the inverse/negative approach: user who opens something infected must proudly display the dreaded [insert something more inappropriate than a bag of dog crap] at their desk for a whole week, they are not allowed to decorate/hide it.
Implement spam/email message filtering, if your users can't get to a bad link, then they can't click on a bad link.
Do backups, check that they are actually working. Make a "compliance game" if someone else (in your IT department) can delete a file (they should make their own backup first) and you can't restore it - then you owe them lunch. Shit get's solved real fast.
Try executable whitelisting, the idea being only software you know about can run, I think this is extreme and haven't resorted to doing it myself.