Companies get around that by hiring a security 'consultant' or other firm to pay the ransom. Conveniently the cost of the consultant is exactly the ransom. It's enough legal cover for the company to release statements like "XYZ corp is not negotiating or paying the ransom."

Then consultants go to jail. And if these consultants are in China or some other country, then the law can be formulated in a way someone should go to jail.

Top managers will deny everything, but FBI will start investigations, the will be a whistleblower, and eventually FBI will offer a deal to some middle manager to testify in court that top managers knew that "consultants" were actually hackers.

This will be enough to greatly discourage stakeholders to participate in paying to these consultants even indirectly.

Maybe it won't work perfectly, but at least it will make paying more risky, more expensive, thus less often.

Sanctions work the same way. You can't deal with a company who is under sanctions, and if you try to use some intermediary to get around sanctions, you can still be fined at least.

> Then consultants go to jail.

Because they'll just call 911 and say "I just paid ransom under cover"?

You know this is why incompetent lawmakers terrify me. They believe they can just be "tough" and everyone just falls in line instead of trying the infinite loopholes you leave open, each of which is a better outcome for them than the draconian path drawn by the law in spirit.

If you make payment illegal, not only you're punishing the victim, you're adding a STRONG INCENTIVE for them to keep the whole thing a SECRET.

You're shooting your own foot.

> Because they'll just call 911 and say "I just paid ransom under cover"?

Because some whistleblower will leak it (or just some person who is seeking their 15 minutes of fame).

Or because there's a transaction to China by a company which never worked with China. Like if you paid to a security consultant company based in China, and that consultant company was registered a week ago, and the website was down for a week, that is a reason to start investigation.

Oh, by the way, a law may mandate disclosure of a ransom request like within three days. So even if the FBI couldn't prove the consultants were fake, the company can be still be fined for not disclosing the request.

> STRONG INCENTIVE for them to keep the whole thing a SECRET

I suspect companies which pay ransom now don't exactly shout about it on every corner. Only those who refuse to pay do so.

> You're shooting your own foot.

How it could be worse than it is now?

Assuming paying ransoms were illegal[0], arranging for another party to pay it (commit an illegal act) would be an act of conspiracy.

[0] already being signaled: https://www.reuters.com/article/us-treasury-cyber-idUSKBN26M...

Sounds like there's an easy solution to that. Just don't allow ransom payments to be tax deductible.

Another option is to add a 900% tax on ransom payments, owed by the payer. It would either lower the price of ransoms or get less of them paid. I don't know why that would be better than prohibition, but it would be funnier.

Unfortunately it looks like the exact opposite is occurring: https://apnews.com/article/technology-business-government-an...

The regularity of ransomware has apparently made the expense “ordinary” therefore now tax deductible. Shrug.

Wouldn't other types of crime like theft or damaged windows be the same?

It wouldn't be funnier, it would have the exact same effect as a prohibition law.

I'd argue that a far better solution is improving security requirements and developing better procedures.

Hacks in many ways incentivize companies to invest in their security.

Also, if you prohibit paying ransom nothing will probably change. Hackers will continue to steal data, they will just sell it like they always did.

Sure they will target now companies that have more valuable data, but the big picture won't change.