I think that the ransom should not be paid because this encourages the malware authors to keep developing ransomware and infect people with it; the more encouragement means for more of this behavior to be continued. If malware authors didn't make any money from ransomware then it wouldn't be a thing, however ransomware is extremely prevalent now due to the demand for money being successful thanks to victims who pay up.
I think a better approach would be to keep the systems updated with the latest version of Windows (and updates applied once verified it will work smoothly with the running software - update the software for compatibility if there is a problem), good end-point security solution being applied, regular back-ups made to reduce the damages in the case of data loss, and employees being internally/externally trained to become updated with the latest attacker techniques so their awareness is raised and so good and safe practices are being applied by default. Locking down the system and instructing for the user how to do things if necessary which are restricted after proper verification has taken place is also not a bad idea (better still, lock down the system and remove the ability to work-around it in an business environment until a qualified administrator who really knows what they are doing has done checks before doing something for them).
A lot of administrators in professional, business environments don't really know what they are doing to the standard they should when it comes to security IMO. Pick any school or business you want, I really would not be surprised if the administrator of a picked choice isn't aware that a virus is a type of malicious software, nor is aware of the many different types of malware. Once during education, I had to do a computer-based exam... Signed into an administrator account for god sake.
When people don't take proper precautions and end up being infected, they may resort to paying the ransom with the hope of getting back important affected documents. Some do not even wait for security analysts to check if a decryption tool can be developed (because some ransomware doesn't perform the encryption routine properly, or doesn't patch up vulnerabilities which can be abused to retrieve the private key regardless) before paying the ransom.
Protection is not just about preventing an attack, but also preventing loss of data after an attack. A backup is a very good thing to have at all times in-case you do become successfully attacked, to reduce the damage impact of data loss (data loss prevention safety routine, whatever you want to call it).
Many people on these forums use a backup, it doesn't take much time at all to make a good system backup image and securely store it, or keep documents up-to-date. Even a simple removable device securely stored containing backed up documents which are critical which have passed through some form of encryption (or strong password-protected archive) is better than nothing for sure.
At least Microsoft is focusing a bit more on data-loss prevention with their new folder access control feature (cannot remember the exact name for the feature). The only problem is it isn't adapted for an inexperienced home user to operate it properly, too confusing for them IMO. Needs to be more straight-forward and simple.
