"Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted."
Not really. As I mentioned in another thread, in countries that have made ransom payments for kidnap illegal, people are less likely to inform the authorities of a kidnap so the authorities can't then obstruct/prosecute them for paying the ransom to save their loved one (it's not unheard of for authorities to freeze the assets of someone who reports a kidnap to prevent any ransom payment). As a result, it's easier for kidnappers to operate knowing that there's little chance of the police getting involved. The same would probably apply with ransomware.
There's also ways around making an obvious payment to the demanders. You can't be seen to pay a $5m ransom, but you can engage a 'specialist' consultant to either negotiate with the kidnappers or disinfect your IT systems for maybe $1m, that consultant being either a front for the kidnappers/malware pushers, or a legitimate consultant laundering the ransom payment before passing it on to the baddies.
Have to say though, it seems a poorly-chosen time to target CWL when business travel is at an all time low.