I'm not sure why the distinction between physical and virtual harm is relevant. Physical harm is valuable for a person to stop because their life has value to them, and virtual harm is valuable for an organization or person to stop because the virtual assets being harmed have value to the organization or person.
We could get into the monetary value of a life and whether a sufficient amount of virtual harm, especially when that virtual harm might reasonably translate into a life (emergency systems, insurance payouts, etc.), but I don't think we even need to.
The difference is the mugger gets your wallet one way or the other. The only difference is if you survive to tell the story. The ransomware attacker is only rewarded if the victim capitulates.
Edit: On the other hand, if the counter-factual was a mugger at an ATM demanding you enter your PIN, that distinction doesn't exist. So maybe you're right.
Maybe the right answer is to outlaw paying the ransom except to save human life, but also create a federal fund to compensate victims of these attacks.
We could get into the monetary value of a life and whether a sufficient amount of virtual harm, especially when that virtual harm might reasonably translate into a life (emergency systems, insurance payouts, etc.), but I don't think we even need to.