Yeah, for protecting against ransomware, the computers you are backing-up must not have permission to write in your backups, and the place you are writing your backups on must not have the same security flaws as them.
Both offline media and well configured S3 can do. Although, I'd personally bet much more on my capacity of configuring a server than S3. Anyway, you can't go wrong with offline. The one thing you can't have is a NAS where your computers directly write the data.
I favor cloud storage here since you can configure write-only storage pools (without delete, or at least with versioning). Whereas "offline" backups must come online for new copies, and that's a window for infection of the hosting file system, barring well-configured snapshots or the like. Also it can be your second location for the "three copies, two locations" rule of thumb, especially if you are an SMB with only one physical space.
(The opposite plays here, too. If everything you have is in the cloud, you should keep local backups.)
Both offline media and well configured S3 can do. Although, I'd personally bet much more on my capacity of configuring a server than S3. Anyway, you can't go wrong with offline. The one thing you can't have is a NAS where your computers directly write the data.