ACCORDING to BakerHostetler, their 2026 DSIR report on 1,250 clients in 2025 found that 34% paid ransom, and among those who paid, many aimed to get data deleted. DataBreaches notes they are aware of three such incidents involving one hack-and-leak group, with inquiries sent to multiple organisations to gauge how often data deletion is false or real.
The FBI declined to provide additional data on how often threat actors truly delete data after payment or which groups keep their word, emphasising that paying does not guarantee decryption and can embolden criminals.
Resecurity’s perspective, drawing on their experience with many victims, suggests that over 70% of ransomware groups with an established brand either completely remove the data or never contact the victim again after payment, while about 30% of independent access brokers may re-extort or demand more later. The piece also notes that there is an exception for state actors, who are said not to delete data regardless of promises.