Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?
We can't even hold commercial software developers to enforce secure coding standards, yet we're expected to trust anonymous malware writers to write code that is proven to not exfiltrate data and trust that they are ethical enough to reveal all of the weaknesses they found?
You can still capture the malware in honeypots & analyze its behavior – and try all the investigation and enforcement methods currently used.
But, those grayhats seeking to use this safe-harbor would be more open about their identities & methods. They can even deposit their earnings into KYC'd bank accounts!
So imagine some bad-faith actor pretends to be complying, but then turns out not to be & tries to double-dip – taking both the conditional bounty, and more. Such people will now be competing with other hackers who are playing by the rules – leaving the nastier actors fewer open systems. And anyone who seems to obfuscate their identity/methods will stick out as a likely bad-faith actor. Thus I'd expect they'd be a lot easier to catch, and have more to lose, than in the status quo.
We can't even hold commercial software developers to enforce secure coding standards, yet we're expected to trust anonymous malware writers to write code that is proven to not exfiltrate data and trust that they are ethical enough to reveal all of the weaknesses they found?