>Instead, you would pay (exhorbitant) consulting fees to a foreign-based "offensive security" entity

Lots of US based incident response companies handling ransomware payments, this isn’t the domain of some sketchy foreign offsec joints.