"The option of "pay ransom" is really a sign that you've failed yourself (and your customers, if you're a business). You can't stop data exposure, but to have to pay to get your data back, that's just stupidity on your part."
The victims of ransomware are companies too small to have a full-up IT department. Since lots of /.ers are in the US, look at the stats on company size. The vast majority of companies have fewer than 10 employees. Those are the companies where the IT was probably set up by a friend or neighbor.
It's all well and good to say that you should have a full backup tested and ready to go, but only larger companies actually do. At best, what a small company has is a hard-disk that some employee takes home on the weekend, which is supposed to contain a backup of all critical files. Most won't have anything beyond a local file synchronization, which the ransomware may be able to overwrite.
Most small businesses run on a shoestring: they can't afford to pay an IT person to run a professional network for their 3 PCs and 2 laptops. Heck, one company I am currently working has one employee using their workgroup server as their normal PC. Win-XP with full administrative rights. That's how they saved money when they started six or seven years ago, and only now - when the hardware is end-of-life - is it finally going to change.
If there is an offsite backup, it will be days or possibly weeks old. It's certain that no one has ever actually wiped down the server and tried a full restore; they don't really know if the backup is complete (or even readable). Some critical file somewhere won't have been backed up, or they won't be able to find all the license keys, or... Figure it will take days, maybe even a couple of weeks to get the company running again. Lost time, lost business, plus the lost data (since the backup won't be current), plus paying consulting fees for an expert to do all of the work.
Likely as not, the company will pay the ransom and hope for the best.