I don't think people here are considering all forms of ransoms, but you hit on an interesting aspect of it all the same.
It's why, I think, such a law wouldn't pass Constitutional review.
If your person is threatened with imminent danger, you have a right to self-defense, we'll even let you commit intentional homicide if the threat is serious enough.
And self-defense also covers your property and livelihood to a lesser extent.
I think it'd be extremely hard to convince courts that this right to self-defense doesn't include negotiating with an attacker. Imagine if it were a crime to toss some money at a mugger and run away, for instance.
The US Constitution contains no explicit right to self defense. There are a variety of state and federal laws covering justifiable use of force but none of them are even remotely applicable to paying ransoms. If you disagree then please cite a specific legal case.
US law derived from common law, which recognized a right to self defense. All 50 states, DC, and federal jurisdictions then codified that right as law. While the 2A is not directly about self-defense, it plainly guarantees an individual right to maintain the means for self-defense, which implies a right to self-defense.
There are cases covering a justifiable use of force because intentionally killing or harming a person is illegal, and self-defense is a defense against those charges.
It's normally perfectly legal to pay someone whatever you want. You don't need a defense against something that's not a crime. There's no conflict in paying a ransom, so there's no case law.
Regarding OFAC, as your link points out:
> One issue is that victim organizations are required to check the list of sanctioned entities; however, many times the true identity of the cybercriminals are not known.
I'm guessing there's no case law regarding paying ransoms to SDNs because nobody has an identity they can check.
But do we need case law when OFAC says:
> OFAC will consider a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the enforcement outcome if the situation is determined to have a sanctions nexus.
If someone wanted to make a law against paying ransom, it would be quite novel and courts would have to look for applicable doctrine. I think the doctrine of self-defense would be a roadblock.
It's why, I think, such a law wouldn't pass Constitutional review.
If your person is threatened with imminent danger, you have a right to self-defense, we'll even let you commit intentional homicide if the threat is serious enough.
And self-defense also covers your property and livelihood to a lesser extent.
I think it'd be extremely hard to convince courts that this right to self-defense doesn't include negotiating with an attacker. Imagine if it were a crime to toss some money at a mugger and run away, for instance.