You didn't say anything about tax evasion in this post, which seems like an important thing to consider. Most ransomware payments are made secretly, right?
Is the argument roughly, "some will evade taxes, so the policy will not work as well, and therefore is not worth implementing?"
Yes, currently very few companies report paying ransom payments. When this tax is introduced the motivation for hiding payments will be even higher, and go up with the tax rate. So when you say "With each increase in tax rates, a market equilibrium will be reached where the funding of ransomware is significantly reduced" I would guess instead that reporting will go down.
Thus, an attacker, knowing this, could only reasonably expect to demand half the amount to get paid.
Who bears the cost of a tax depends on the elasticities of supply and demand. In the case of a ransomware attack, I would expect the vast majority of the burden to fall on the victim.
Right, the proposal offers no initial benefit to the next victims immediately after its implementation. Also, I agree that the inelasticity of the market for ransomware would lead to increased initial burden on the next victim, due to higher initial total payments (ransom + tax) prior to adaptation. Indeed, at any point there is a tax increase, the immediately-following victims would pay more, so perhaps a slow raising of the tax rate would be best. One assumption I made is that the attackers are already demanding their utility-maximizing amount. Since this ransom would decrease with time as all actors become aware of the existence of this tax, the benefit would be realized by the downstream effects of less funding of ransomware, and the would-be victims of the future are the real intended beneficiaries.
(End of post updated for clarity on this)
I don't know enough about attacker motivations and economics, or what is the elasticity of attempts to extort (nor about elasticity of victims who choose to pay). It certainly won't solve the problem. It MAY reduce the incidence, or it may just make it more expensive for victims and slightly less profitable (but sill way positive) for attackers.
I do wonder why it's preferable to tax at punitive rates, but not to just outlaw entirely. Philosophically, sin taxes are annoying, because they assert a sin without much justification or calculation of "how bad is it". When framed in a Pigou contex (tax enough to be neutral about the externality), it's a much stronger theory. In this case, it's very hard to calculate the pigouvian cost (externality value) of paying a given ransomware demand, so taxation seems a weaker tool than just outlawing it (note: I don't know enough to really advocate for this either, I'm just comparing the two).
Thank you for the feedback; I've updated the post for another attempt on improved clarity with your concerns in mind. I think the optimal tax amount could be empirically determined. The use of the word "sin" carries baggage that could be avoided without its use; there is no retributive intent or even need to match the extent of negative externality; rather, there is just some theoretical tax rate and increase timeline that would reduce net harm. An empirical approach could explore various rate increases and their effects, using various proxies of both payment and compliance to estimate how the market is impacted.
Updated to include: "Taxation immediately reduces the frequency of payouts" section toward the end.
A tax could largely mitigate the growing ransomware problem. The following is a proposal for a scheduled, gradual increase in the tax rate on ransom payments:
Why not favor an outright ban?
The taxation approach does not aim to reduce the per-attack instance severity; it only reduces the expected frequency due to less benefit to the attacker. This follows from the attacker's extortion-maximizing objective function that accounts for known enforced taxes and compliance rates, along with the attacker's unknown implicit probability distribution over the likelihood of total costs that the victim is willing to pay. While the tax does not benefit the immediate next victims following its implementation (it likely harms them further with this additional tax burden), many would-be future victims are the beneficiaries of lower ransomware funding and thus a significantly-reduced number of attacks. At no stage does the magnitude of the attack become lessened for the victim; it is only the frequency of attacks that the policy aims to address. If the tax were high enough, the viral coefficient of ransomware's growth would be < 1.0 due to declining interest as payouts diminish.
Taxation immediately reduces the frequency of payouts, as it shifts the decision threshold for payment by making it more expensive (and thus funding of future ransomware attacks). Thus, funding of and incentives for ransomware attacks almost immediately begin to drop the moment the policy gets implemented. The status quo is effectively a 0% tax rate (in most countries).
Finally, it is worth considering a similar governmentally-enforced tax policy for ransom payments in general (not just ransomware).