But wouldn't the payments just end up being passed through?

For example, one way to get around that is you could sign a contract with a foreign consultant firm for "security services", say for 1 year, and they would take your money, and pay a portion of it to the ransomware authors and profit on the rest.

Wouldn't that be extremely obvious though?

Not when it's done through several layers of employees and then potentially multiple layers of foreign companies.

It's very hard to find individuals to hold criminally liable for things like this. When was the last time you saw a CEO go to jail when their company killed someone?

> Historically it's how they stop kidnapping in countries where it's common. It REALLY sucks for the first few people after the law is passed, but after that things get better.

Is this based in reality? What countries have banned ransom payments for human kidnapping and what people did it “suck” for?

My hunch is that if your spouse gets kidnapped and you have the means to get them back, you’ll risk it.

So when you said “countries” and “historically” you meant “Italy” and “since 1991”?

Good to know you weren’t just talking shit there.

What countries are you talking about? Because kidnap insurance is still a moderate size business

Countries where kidnapping was common, are also usually countries with weak government and very ineffective policing, so it's not that simple. Laws like that are in the end pushing responsibilities of law enforcement on the companies and citizens.

I'm against ransoms, but if I was CEO of company that's about to release COVID19 vaccine, or provides jobs to 100k of people, you bet I'd pay that ransom.

But even if that would happen, it's naive to think that corporations wouldn't work around it. They already do, by outsourcing payments to 3rd party companies - they can proxy it via other countries, fake identities, etc, etc.