[yrral]

But wouldn't the payments just end up being passed through?

For example, one way to get around that is you could sign a contract with a foreign consultant firm for "security services", say for 1 year, and they would take your money, and pay a portion of it to the ransomware authors and profit on the rest.

[somehnguy]

Wouldn't that be extremely obvious though?

[learc83]

Not when it's done through several layers of employees and then potentially multiple layers of foreign companies.

It's very hard to find individuals to hold criminally liable for things like this. When was the last time you saw a CEO go to jail when their company killed someone?