This doesn't work in practice, companies that aren't allowed to pay those ransoms usually use proxies (some other company that doesn't have to follow those restrictions) that will pay the hackers
There are ways to prevent the "bags of money" from happening. The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes. Large institutions hire expensive lawyers to ensure their ongoing compliance with FCPA, because the penalties for failing to prevent your organization from paying bribes are extensive. You can't completely eliminate a practice through law, but you can come close, and FCPA has done more for this problem globally than nearly any other measure enacted by a government.
The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes
You can have all the laws you want in words on paper, but if they're not enforced, for all practical purposes, they don't exist.
The people who enforce the FCPA must be understaffed or undermotivated or underfunded because I've worked for several companies that regularly paid bribes as part of doing business.
One example: I worked for a large media company that would send TV crews to cover stories in Mexico on a fairly regular basis. Almost every time the crews tried to return to the United States, the Mexican border personnel would seize their very expensive gear. The only way to get it back was to pay a bribe.
This was so common that everyone was told to just mark it down on their expense reports as "Airport tax." I only found out about it when I started asking why I kept seeing "Airport tax" on expense reports for trips I knew were done in cars.
Your example would be a _very_ far stretch for FCPA.
The law is about bribes for "obtaining or retaining business". It's one thing if you were paying a bribe to say, a local minister to get exclusive access to some sort of scene...
But low-level crooks pretty much sticking you up and you try to buy your stuff back from them under the guise of "government business" is not the kind of thing FCPA is about. It's for concerted attempts to pay off foreign officials to strengthen your business.
Which surely still happen, but not in the manner you're describing. FCPA violations wouldn't be the sort of thing that "everyone" is told about.
IIRC the kind of phrasing used is “external security consultants”.
“We didn’t hand duffel bags of money to the perpetrator group’s courier, we hired a professional external individual security consultant to handle the situation”
News from a few months ago: You just had your servers hacked into and all your database are belong to them. The black hats demand X number of BitCoins as ransom, but you cannot pay because it violates certain laws. So you hire an intermediary who pays for you, thereby avoiding the legal problem.
By very loose analogy, either when playing chicken, or when you and a person walking towards you both repeatedly veer in the same direction to avoid collision, one tactic is to very conspicuously cover your eyes. The other person can then see that you will not re-correct based on their behavior. Though I know this option exists, I have never successfully used it. It's always difficult to truly intentionally commit to limit your options to respond to future circumstance.
I heard of this as a kid, something along the lines of 'when walking down a street make an effort to look forward, through people (and not at them)'.
Same concept applies, and in my experience it seems to work. Though this was before the era of phones (and people not looking where they're going regardless)
Pass the law to 1) forbid public entities from paying ransom; 2) stringent public timely (less than 24 hours) reporting incidents; 3) stringent public reporting on root cause analysis/resolution/future remediation.
If it is a legal requirement of my job to do the right thing, I'm gonna do the right thing.
Money laundering has the benefit of Federal law working to help the State laws. I think in an environment where there are 50 different legal regimes it's inevitable people will develop workarounds. You see legal arbitrage in every instance where legal differences exist between states. From corporate law to family law. I don't know why this would be any different.
If you want to stop the hackers, make it a Federal crime to pay anyone. In that environment, there would be no circumventing the restriction at all.
But it would remove public institutions from the target list. Also, in the case of private institutions, if it were a criminal offense to use such a proxy, an investigator could discover this. The threat of prison for any officer of a corporation who arranged such a payment would be a powerful deterrent.
Not that it undermines your overall point, but it might prove to disincentivize attacking smaller companies that aren't in as strong a position to use proxies -- which I would still count as a win.
But at least it's difficult and illegal. It makes them less of a target for hackers since they're less likely to pay and it places liability on anyone who tries to work around the law.