Yes, but they're still facing some risk of criminal penalties. This removes that, in return for more orderly behavior.

To some extent, the current risk of criminal penalties will cause them to be more damaging. What they're doing is already illegal; why minimize collateral damage? Why not try to double-dip, both stealing data and encrypting it? Why not disappear if there's any risk of discovery, rather than follow-through with decryption keys and information about plugging holes?

Also, the current regime means only "criminal"-minded people are performing this activity. And yet, the activity still has some positive side-effects! It causes organizations to close security holes (which could put their customers' data at even greater risk) and improve backup procedures.

A limited carve-out for "responsible" vigilante penetration-and-remediation would allow other more-law-abiding operators to participate in this activity, with more responsible practices. (You could do this with your real name & put your wins against name-brand organizations on your resume!) This should lead to flaws being more rapidly discovered & closed, and perhaps at less cost and collateral damage than the current legal regime – which, after all, isn't doing a great job of catching perpetrators or assigning accountability to vendors and IT departments after incidents.

They're already doing this - ransomware attackers are astoundingly good at acting in a collectively beneficial manner. Most ransomware attackers will go out of their way to make sure you're able to decrypt your data because they know if enough people can't then no one will pay their ransom.

The selfish and optimal play in this scenario is to be among good-actors using ransomware and never both with the effort of allowing users to decrypt their data, but surprisingly few people are acting this way - enough that most companies have confidence gambling that the criminal that just compromised their system will act honestly. It's seriously astounding.