> Unfortunately, for the individual victim, paying is usually the best of a set of bad options

Is it?

From the perspective of the hacker, the hacker's best move is to take the money and simply demand more. There's zero incentive for the hacker to return the victim's data.

This becomes a probablistic situation: the approach I'd take if I were a victim would be to borrow an analogy from poker for the problem of deciding whether to call in order to possibly win a pot. First, I'd determine how much the data is worth to me, and use that to determine my "pot odds":

    pot_odds = ransom / value_of_data

I'd then try to figure out how often hackers actually return the data on a ransom:

    odds_of_data_being_returned ~= times_data_has_been_returned_after_ransom_paid / times_ransom_has_been_paid

At this point, we can decide whether it's a rational choice to pay the ransom:

    if pot_odds < odds_of_data_being_returned:
        pay_the_ransom()

Areas for research: this is a pretty unsophisticated way of determining the odds of the data being returned. I don't have data on how often hackers return data upon being paid the ransom, but I suspect if we gathered data we could get a better probability. For example, one could use linguistic patterns in the hacker's communication to fingerprint different ransomware hackers, and use that to get a probability for each individual hacker. It's likely that some hackers never return the data, and some hackers always return the data, and each of these probabilities has drastically different effects on the outcome of our decision algorithm.