And just to spell it out: Fewer payout means fewer resources to spend on further operations. So I would absolutely think that the criminals care if there is an actual ban.

Except, this assumes that the cost of an operation being ran is beyond marginal.

The actual cost of launching an attack like this is basically nothing - initial access, etc, is largely automated and performed at scale.

The “costly” part is the hands on keyboard part, but even that can be largely automated, and even manually doesn’t take long.

Of course the cost of an operation is beyond marginal. The cost of maintaining a team capable of executing sophiasticated ransomware attacks is far from trivial. Especially since the operation is illegal, money need to be laundered, interpersonal tensions in cybercrime happen. Less payouts mean less money for the criminals and is absolutely a problem for them.

This is not a company where you automate people out of job and CEO gets all the profit. Organised crime groups share profits among themselves, and the profit is by far the main motivator for all of them.

You're not competing against the hackers doing nothing, you're competing against them targeting some other country or just changing jobs. You don't have to get the payouts to $0, just low enough that it's not worth doing.

This would basically remove the prospect of million dollar payouts; it probably removes the prospect of payouts in the hundreds of thousands. Any company with the money to make those kinds of payouts is likely to have reporting requirements that make it very hard or impossible to hide.

Payments in the tens of thousands could maybe be hidden or targeted at small enough businesses that they don't have to report what happened to their money, but is it even worth it at that point? We're talking people with at least some level of technical ability; do they really want to piss off the FBI/NSA/European equivalents for tens of thousands of dollars? I sure wouldn't.

If this doesn't reduce the likelihood of ramsomware (because it's low effort to just send and see what happens) then it's only a problem for the victims

Is that really the case? I was under the impression those organizations have specialized people, some write the software, some do the hacking, some the social engineering etc. Once there is much less money this kind of system would probably fall apart?

I think that’s the point. Force the companies to improve their security practices.

I don't think the people drafting such laws have 2nd order thinking

Don't be so cynical, they do have such thinking (at least sometimes - like all other humans they have blind spots). They also have advisors who have such thinking. There are 532 people in congress, each who has several advisors, plus all the other officials in the FBI, CIA, NSA, military who have easy access to congress, dozens of lobbyists - it only takes one to have an idea and tell congress (though don't always agree and of course congress will not always do what they want). That is the US, every other country has different setups, but they will have something similar.