The latest cyberattack, apparently emanating from Russia again, has hit at least 20 software firms affecting at least 1,000 businesses.

It follows a cyberattack that left parts of the U.S. without adequate gasoline supplies for several days, and one on the Irish public health system.

There are undoubtedly many more attacks that go unreported, if only because the victims do not wish to advertise their willingness to pay ransom.

And so the obvious question arises: How is all this supposed to stop? For an answer, it’s useful to apply some game theory.

The scalability of the internet can be a major virtue. But it also makes it easier for vices to proliferate. There are now the equivalent of venture capital markets to help fund ransomware attacks.

Consider street crime, for example. There is a natural limit to it if only because most people have better options than to pursue such a life, and many who do so are simply not good at it and get caught. What’s more, street crime is constrained by the need for physical presence; you can only commit so many carjackings in a month.

In the cyber realm, these constraints do not apply. In low-wage, low-trust countries, such as Russia, you can just hire more hackers to pull off more attacks. Even if the perpetrators can be identified, Russia doesn’t seem so eager to help U.S. law enforcement. Other havens for cybercriminals could emerge.

More aggressive regulation of cryptocurrency markets could make ransom payment more difficult, but the hackers could always resort to anonymized cryptocurrencies.

Some have proposed that paying ransoms should be made illegal. That might be hard to enforce, and it is really wise to penalize businesses that seek to restore services to their customers?

Criminalization might also incentivize hackers to create ever more destructive attacks in an effort to get the ransom spigot turned back on. At least under the status quo, hackers have some incentive to seek out relatively quiet attacks that will yield a ransom but not wreak too much havoc or attract too much attention.

How exactly all this will unfold is clear, though unpleasant to contemplate. Many businesses and institutions still don’t view a ransomware attack as major threat, and they won’t invest much more in security until they do.

One consolation is that hackers will almost certainly “overfish” the pool of victims. At some point there will be so many attacks that most institutions will have no choice but to respond with significant defensive measures. The hackers themselves will accelerate this process, because each will try to maximize their profits before the game is over.

Game theory doesn’t help very much in predicting how long this cat-and-mouse game will go on. But it’s safe to say that it will be here for a long time to come.

Tyler Cowen is a Bloomberg Opinion columnist.