Today Bank Info Security raised this question at: https://tinyurl.com/on-paying-ransom
It seems clear that, at least collectively, we are highly vulnerable to breaches and extortion. In order to take part of the profit out of such extortion we need to raise the cost of attack against our systems ten fold. Not only will that take time but it may also require additional motivation; too many enterprises are electing to accept, rather than mitigate, the risk. We know how to increase security; we lack sufficient motivation.
It seems equally clear that paying ransom may be good for the enterprise and the perpetrators while putting the infrastructure, society, and national security at ever higher risk. We need to discourage such payments. This includes not being able to assign the risk to underwriters, as AXA has already said. Such insurance creates a "moral hazard."
Historically, I have opposed "punishing the victim" as a means of encouraging better security. We managed to discourage the old "protection" rackets without resorting to that. However, something must be done; society cannot leave the acceptance of existential risk to any of thousands of enterprises.
Consider sanctions for paying extortion that escalate over time on a steep, but announced, schedule. This could increase the motive to improve security while allowing the time necessary to do it.
Finally, as with the protection rackets, there must be a law enforcement component to our response. We cannot put all of the responsibility for protecting society from this risk on the potential victims. Part of this response might include funding law enforcement out of fines imposed. Another part might include so regulating digital currency as to make it easier to "follow the money." We may decide that we cannot tolerate anonymous receipt of funds.