When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.
-
When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.
So I started sending out inquiries.
Now you might think that those who publicly and repeatedly urge journalists to "spread the word" not to pay would respond and share some of their experiences with untrustworthy threat actors, but no..... they didn't even respond.
Read about the replies I did get, because they really surprised me.
I have no doubt that some professionals will hate what I have reported, but then, perhaps they should have responded, too, if they think differently.
How often do threat actors default on promises to delete data?
https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/#databreach #incidentresponse #ransom
@zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews
@PogoWasRight
So I downloaded your article. Then I deleted it. Pinkyswear!If someone came and asked you: "Did Daniel really delete the copy of your article?"
How could you possibly answer that question? You don't know if I still have a copy or if I'm telling the truth.
-
@PogoWasRight
So I downloaded your article. Then I deleted it. Pinkyswear!If someone came and asked you: "Did Daniel really delete the copy of your article?"
How could you possibly answer that question? You don't know if I still have a copy or if I'm telling the truth.
@newstik Agreed completely. But should someone be able to assert -- without proof -- that you haven't deleted it, and therefore no one else should pay you?
We need to be honest with victims about the risks -- and that includes sometimes saying, "We don't know and it's a bit of a gamble if you want to take it., but we don't really have any evidence that this group has knowingly lied about deleting data."
-
When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.
So I started sending out inquiries.
Now you might think that those who publicly and repeatedly urge journalists to "spread the word" not to pay would respond and share some of their experiences with untrustworthy threat actors, but no..... they didn't even respond.
Read about the replies I did get, because they really surprised me.
I have no doubt that some professionals will hate what I have reported, but then, perhaps they should have responded, too, if they think differently.
How often do threat actors default on promises to delete data?
https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/#databreach #incidentresponse #ransom
@zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews
@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews For many attackers, managing large amounts of stolen data *clandestinely* is an annoying task they are glad to be rid of once they are paid. It is another part of their operations beyond the intrusion itself that they have to be very careful to manage in a way that cannot be attributed to them. Any remnant they keep is potential evidence against them if they should be apprehended in the future. The easiest and safest path is to get rid of it as soon as possible.
-
@newstik Agreed completely. But should someone be able to assert -- without proof -- that you haven't deleted it, and therefore no one else should pay you?
We need to be honest with victims about the risks -- and that includes sometimes saying, "We don't know and it's a bit of a gamble if you want to take it., but we don't really have any evidence that this group has knowingly lied about deleting data."
@PogoWasRight @newstik
I thought companies paid so the data doesn't get leaked in an easy to find and publicized place. -
When people keep advising victims not to pay ransom because threat actors can't be trusted to really delete all the data, my inner researcher kicks in and wants to know how often that really happens.
So I started sending out inquiries.
Now you might think that those who publicly and repeatedly urge journalists to "spread the word" not to pay would respond and share some of their experiences with untrustworthy threat actors, but no..... they didn't even respond.
Read about the replies I did get, because they really surprised me.
I have no doubt that some professionals will hate what I have reported, but then, perhaps they should have responded, too, if they think differently.
How often do threat actors default on promises to delete data?
https://databreaches.net/2026/04/05/how-often-do-threat-actors-default-on-promises-to-delete-data/#databreach #incidentresponse #ransom
@zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews
@PogoWasRight I remember similar research about the odds of actually getting your data back in case ransomware encrypted/deleted it with very similar outcome. They pretty much always deliver because otherwise people wouldn't pay anymore and they'd be killing their own business model. That was a couple of years ago so no link, sorry.
-
@PogoWasRight I remember similar research about the odds of actually getting your data back in case ransomware encrypted/deleted it with very similar outcome. They pretty much always deliver because otherwise people wouldn't pay anymore and they'd be killing their own business model. That was a couple of years ago so no link, sorry.
@gollyhatch If I knew about it or remembered that I definitely would’ve referenced it. If you happen to remember where you ever saw it, please let me know.
-
@gollyhatch If I knew about it or remembered that I definitely would’ve referenced it. If you happen to remember where you ever saw it, please let me know.
@PogoWasRight Will do. Assuming that you did some online research and didn't stumble across it I'm pretty sure it was a German-language thing. I also vaguely remember that they interviewed authorities (either regular cops or probably BKA/BSI if it was Germany) and they grudgingly admitted that when contacted for help by victims of ransomware they actually regularly recommend (to the individual victims/companies, not to the general public of course) paying the ransom because realistically they can't do jackshit to help you get your data back and most of the time the attackers hold up to their promise.
That's all just from memory though, I'll let you know if I find the source again.
-
@PogoWasRight Will do. Assuming that you did some online research and didn't stumble across it I'm pretty sure it was a German-language thing. I also vaguely remember that they interviewed authorities (either regular cops or probably BKA/BSI if it was Germany) and they grudgingly admitted that when contacted for help by victims of ransomware they actually regularly recommend (to the individual victims/companies, not to the general public of course) paying the ransom because realistically they can't do jackshit to help you get your data back and most of the time the attackers hold up to their promise.
That's all just from memory though, I'll let you know if I find the source again.
@gollyhatch It looks like I missed something in February. Unit 42's Global Incident Response Report 2026 has a statement consistent with what Resecurity also reports. From Unit 42:
"This brand maintenance extends to promise-keeping: in our 2025 dataset, threat actors fulfilled their commitments (such as providing decryption keys or allegedly deleting stolen data) in 68% of cases where they made a promise."
So that's two firms suggesting that the majority of gangs do keep their word on deletion, again suggesting that having negotiators or consultants who know which groups are reliable and which aren't is pretty important if the victim is considering paying ransom to get data deleted.
-
@gollyhatch It looks like I missed something in February. Unit 42's Global Incident Response Report 2026 has a statement consistent with what Resecurity also reports. From Unit 42:
"This brand maintenance extends to promise-keeping: in our 2025 dataset, threat actors fulfilled their commitments (such as providing decryption keys or allegedly deleting stolen data) in 68% of cases where they made a promise."
So that's two firms suggesting that the majority of gangs do keep their word on deletion, again suggesting that having negotiators or consultants who know which groups are reliable and which aren't is pretty important if the victim is considering paying ransom to get data deleted.
@PogoWasRight The thing I was referring to was at least ~2 years back I think. Didn't have any luck finding it yet but this might also be interesting. Most concerning thing here IMO is that apparently companies make less backups, or if they do then in a way that gets them corrupted by ransomware along with their production data. Data recovered from backups after a ransomware attack at the lowest point in six years.
️https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2025.pdf
-
@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @lawrenceabrams @jgreig @securityaffairs @Hackread @h4ckernews For many attackers, managing large amounts of stolen data *clandestinely* is an annoying task they are glad to be rid of once they are paid. It is another part of their operations beyond the intrusion itself that they have to be very careful to manage in a way that cannot be attributed to them. Any remnant they keep is potential evidence against them if they should be apprehended in the future. The easiest and safest path is to get rid of it as soon as possible.
@sig_ug For reals, back when the source for one of the first RW was being passed around Alphabay forums (for testing... seriously, it's all logged) there were camps that simply wiped, period, and those who didn't. Short-term quick hitters v long term big payout models, I think. Wish there's data to see which one is more profitable on average, 10 years later.
My guess is that if you can properly ascertain data value, you can make $$$ and the breach won't ever be known. Skids HnR. -
@sig_ug For reals, back when the source for one of the first RW was being passed around Alphabay forums (for testing... seriously, it's all logged) there were camps that simply wiped, period, and those who didn't. Short-term quick hitters v long term big payout models, I think. Wish there's data to see which one is more profitable on average, 10 years later.
My guess is that if you can properly ascertain data value, you can make $$$ and the breach won't ever be known. Skids HnR.@jimz Really interesting point about the different approaches. The data valuation piece is huge - most attackers still seem to operate on volume over precision. The sophisticated ones who can properly assess what they've found and stay quiet probably make way more per incident, but we'd never see those numbers since successful stealth is... successful stealth.
-
R relay@relay.infosec.exchange shared this topic
