Dissent Doe  

When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.

So I started sending out inquiries.

Now you might think that those who publicly and repeatedly urge journalists to "spread the word" not to pay would respond and share some of their experiences with untrustworthy threat actors, but no..... they didn't even respond.

Read about the replies I did get, because they really surprised me.

I have no doubt that some professionals will hate what I have reported, but then, perhaps they should have responded, too, if they think differently.

How often do threat actors default on promises to delete data?
https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/

#databreach #incidentresponse #ransom

@zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews

2:54pmWeb
Show threadDaniel AJ Sokolov14h ago

@PogoWasRight
So I downloaded your article. Then I deleted it. Pinkyswear!

If someone came and asked you: "Did Daniel really delete the copy of your article?"

How could you possibly answer that question? You don't know if I still have a copy or if I'm telling the truth.

Show threadDissent Doe  13h ago

@newstik Agreed completely. But should someone be able to assert -- without proof -- that you haven't deleted it, and therefore no one else should pay you?

We need to be honest with victims about the risks -- and that includes sometimes saying, "We don't know and it's a bit of a gamble if you want to take it., but we don't really have any evidence that this group has knowingly lied about deleting data."

Show threadFritz Adalis11h ago
@PogoWasRight @newstik
I thought companies paid so the data doesn't get leaked in an easy to find and publicized place.
Show threadSig. Ug.13h ago
@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews For many attackers, managing large amounts of stolen data *clandestinely* is an annoying task they are glad to be rid of once they are paid. It is another part of their operations beyond the intrusion itself that they have to be very careful to manage in a way that cannot be attributed to them. Any remnant they keep is potential evidence against them if they should be apprehended in the future. The easiest and safest path is to get rid of it as soon as possible.
Show threadBrambleminster Gollyhatch10h ago
@PogoWasRight I remember similar research about the odds of actually getting your data back in case ransomware encrypted/deleted it with very similar outcome. They pretty much always deliver because otherwise people wouldn't pay anymore and they'd be killing their own business model. That was a couple of years ago so no link, sorry.
Show threadDissent Doe  9h ago
@gollyhatch If I knew about it or remembered that I definitely would’ve referenced it. If you happen to remember where you ever saw it, please let me know.
Show threadBrambleminster Gollyhatch8h ago

@PogoWasRight Will do. Assuming that you did some online research and didn't stumble across it I'm pretty sure it was a German-language thing. I also vaguely remember that they interviewed authorities (either regular cops or probably BKA/BSI if it was Germany) and they grudgingly admitted that when contacted for help by victims of ransomware they actually regularly recommend (to the individual victims/companies, not to the general public of course) paying the ransom because realistically they can't do jackshit to help you get your data back and most of the time the attackers hold up to their promise.

That's all just from memory though, I'll let you know if I find the source again.

Show threadDissent Doe  6h ago

@gollyhatch It looks like I missed something in February. Unit 42's Global Incident Response Report 2026 has a statement consistent with what Resecurity also reports. From Unit 42:

"This brand maintenance extends to promise-keeping: in our 2025 dataset, threat actors fulfilled their commitments (such as providing decryption keys or allegedly deleting stolen data) in 68% of cases where they made a promise."

So that's two firms suggesting that the majority of gangs do keep their word on deletion, again suggesting that having negotiators or consultants who know which groups are reliable and which aren't is pretty important if the victim is considering paying ransom to get data deleted.

Show threadBrambleminster Gollyhatch5h ago

@PogoWasRight The thing I was referring to was at least ~2 years back I think. Didn't have any luck finding it yet but this might also be interesting. Most concerning thing here IMO is that apparently companies make less backups, or if they do then in a way that gets them corrupted by ransomware along with their production data. Data recovered from backups after a ransomware attack at the lowest point in six years. 🤦‍♂️

https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2025.pdf