Famously summarized by Kipling

https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm

> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.

You're then a target known to be vulnerable and pay ransoms, so best focus on security.

There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.

For any individual within the ransom group, they can get a big payout by selling the data.

You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.

But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.

And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal

There's one more piece that matters.

If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.

... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.

While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.