"And if the money trail leads to a hostile state?"
Isn't that one of the stated reasons why all major countries have international spy groups?
These things are tolerated in some places because they tend not to annoy too many powerful people in their own countries. If a Russian created bit of malware that infected a US institution was quickly redeploy by the CIA back into Russia, the malware writers would have a serious life expectancy problem.
The ransoms tend to be paid in bit coin and that can be traced back so it isn't like these people can't be found.
The US law has says a person who receives payment for malware can be sent to jail for 39 months per charge under the wire fraud regulations. The justice department already has tools to present these cases to a grand jury and indict the creators where they can be collected if they ever visit the a friendly country. 20 charges can be 65 years in Leavenworth. A few long term jail terms for malware and spammers might just start putting a dent in the problem. Spammers are now costing the global economy about 250 billion dollars a year.