Dissent Doe  19h ago

When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.

So I started sending out inquiries.

Now you might think that those who publicly and repeatedly urge journalists to "spread the word" not to pay would respond and share some of their experiences with untrustworthy threat actors, but no..... they didn't even respond.

Read about the replies I did get, because they really surprised me.

I have no doubt that some professionals will hate what I have reported, but then, perhaps they should have responded, too, if they think differently.

How often do threat actors default on promises to delete data?
https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/

#databreach #incidentresponse #ransom

@zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews

Show threadBrambleminster Gollyhatch
@PogoWasRight I remember similar research about the odds of actually getting your data back in case ransomware encrypted/deleted it with very similar outcome. They pretty much always deliver because otherwise people wouldn't pay anymore and they'd be killing their own business model. That was a couple of years ago so no link, sorry.
7:25pmWeb
Show threadDissent Doe  13h ago
@gollyhatch If I knew about it or remembered that I definitely would’ve referenced it. If you happen to remember where you ever saw it, please let me know.
Show threadBrambleminster Gollyhatch13h ago

@PogoWasRight Will do. Assuming that you did some online research and didn't stumble across it I'm pretty sure it was a German-language thing. I also vaguely remember that they interviewed authorities (either regular cops or probably BKA/BSI if it was Germany) and they grudgingly admitted that when contacted for help by victims of ransomware they actually regularly recommend (to the individual victims/companies, not to the general public of course) paying the ransom because realistically they can't do jackshit to help you get your data back and most of the time the attackers hold up to their promise.

That's all just from memory though, I'll let you know if I find the source again.

Show threadDissent Doe  11h ago

@gollyhatch It looks like I missed something in February. Unit 42's Global Incident Response Report 2026 has a statement consistent with what Resecurity also reports. From Unit 42:

"This brand maintenance extends to promise-keeping: in our 2025 dataset, threat actors fulfilled their commitments (such as providing decryption keys or allegedly deleting stolen data) in 68% of cases where they made a promise."

So that's two firms suggesting that the majority of gangs do keep their word on deletion, again suggesting that having negotiators or consultants who know which groups are reliable and which aren't is pretty important if the victim is considering paying ransom to get data deleted.

Show threadBrambleminster Gollyhatch9h ago

@PogoWasRight The thing I was referring to was at least ~2 years back I think. Didn't have any luck finding it yet but this might also be interesting. Most concerning thing here IMO is that apparently companies make less backups, or if they do then in a way that gets them corrupted by ransomware along with their production data. Data recovered from backups after a ransomware attack at the lowest point in six years. 🤦‍♂️

https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2025.pdf