[naniwaduni]

If you make it expensive enough to pay ransoms outright, throwing money at security starts looking more appealing.

A ban on paying ransoms isn't the right tool for this. Fine them, punitively, with a portion set aside to incentivize whistleblowing.

[entuno]

Financial costs won't solve the problem for companies, because they're hard to enforce. You'd be weighting up the cost of dealing with the fallout of getting hacked against the cost of paying the random and the chance that you might get caught and fined. If that former cost is existential for the business, then it'd always be worth paying and taking the risk.

The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.

Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.