The 'you' in this case is all of us, collectively. Unfortunately, for the individual victim, paying is usually the best of a set of bad options, even though it is not the best one for us, collectively.
> Unfortunately, for the individual victim, paying is usually the best of a set of bad options
Is it?
From the perspective of the hacker, the hacker's best move is to take the money and simply demand more. There's zero incentive for the hacker to return the victim's data.
This becomes a probablistic situation: the approach I'd take if I were a victim would be to borrow an analogy from poker for the problem of deciding whether to call in order to possibly win a pot. First, I'd determine how much the data is worth to me, and use that to determine my "pot odds":
pot_odds = ransom / value_of_data
I'd then try to figure out how often hackers actually return the data on a ransom:
At this point, we can decide whether it's a rational choice to pay the ransom:
if pot_odds < odds_of_data_being_returned:
pay_the_ransom()
Areas for research: this is a pretty unsophisticated way of determining the odds of the data being returned. I don't have data on how often hackers return data upon being paid the ransom, but I suspect if we gathered data we could get a better probability. For example, one could use linguistic patterns in the hacker's communication to fingerprint different ransomware hackers, and use that to get a probability for each individual hacker. It's likely that some hackers never return the data, and some hackers always return the data, and each of these probabilities has drastically different effects on the outcome of our decision algorithm.
Not in the long-term, because then they gain a reputation as someone not to be "trusted". Many of these outfits have their own support forums, make it easy to pay, etc and happily hand your data back over because they make money in volume, not from one particular mark. You gain a reputation as being easy to work with and unlocking data and offering the support to do so, many more people will pay just to get rid of the headache when their computers are locked down.
For (1), this is the reason the ransom is small. Since "many" are actually trustworthy, it's a small risk to pay the relatively small ransom. (Also, you can verify via bitcoin address if you're dealing with a hacker who is known to give data back.)
For (2), could you also find a way to get the FBI to release a statement saying you are trustworthy?
The vast majority of the "hackers" never see you signing in and paying the Bitcoin. The systems are automated to the point that paying the ransom triggers a process that results in the browser passing the decryption key back to the client-side malware which then decrypts your file. Electronic software delivery is a much more economical way for these enterprising thugs to be profitable at scale.
"> Unfortunately, for the individual victim, paying is usually the best of a set of bad options
Is it?"
Also, think what would happen if a ransomer failed to give the data back after being paid. The only benefit for the ransomer on that mark is to then say, "No, now I want x-more dollars." What is the mark going to do then, once the ransomer has proven untrustworthy? Give them yet more money?
99% of the time, no, the mark will give them nothing, but it only takes 1% to make it viable.
I do buy the reputation argument when applied on a larger scale, though. I didn't realize that some of these operations were as large as other commenters have pointed out.
Most ransomware cases aren't targeted they are opportunistic, ransomware spreads like normal malware rather than some targeted "APT" operation.
And while initially ransomware operators quite "solid" and for lack of a better word "trustworthy" the popularization of it lead to everyone and their mother writing ransomware in hopes to get a quick buck.
In those cases you can't even rely on the encryption being recoverable because the malware it self is utter garbage and the criminals don't care or don't even have the technical skills to operate a full ransom cycle campaign.
It's not uncommon to see even fairly fresh ransomware examples in the wild with dead BC wallet addresses, banned paypal, skrill (and other transaction providers accounts), incorrect routing numbers etc.
This ins't 5-10 years ago where some ransomware would actually give you a voip phone-number/skype/email to call or mail and you would get to speak to some Russian or Malaysian guy give them the money and actually get a key to recover your data.
Sure some ransomware operators still operate that way, some have more sophisticated automated systems with C&C servers but most figured it out that it doesn't matter because they are in it for the quick buck and well if you are going to commit a crime then what not fraud/scam your target in the same swoop.
Ironically this reality lead to the more established organized crime organizations that employ ransomware to generate income to actively fight against the new waves of quick cash ransom scams because they need people to still have some trust in the fact that they can get their data back if they pay.
Even firing at random is a better strategy in a target-rich environment compared to an environment where your targets either don't pay out or attempt to fight back.