In his excellent book, Ransom War: How Cybercrime Became a Threat to National Security, Max Smeets introduces the concept of the Ransomware Trust Paradox:

Despite their inherently deceiving activities…ransomware groups must convince their victims of their trustworthiness. This trust encompasses not just the promise not to release the stolen data but also the assurance that payment will result in the decryption of the affected systems. This makes branding and reputation-building activities not peripheral but central to ransomware’s operational success. 

This has largely been the case since ransomware really became professionalized in 2018-2019 (though, you could argue that the professionalization started in 2016 with the Hollywood Presbyterian attack). Ransomware groups are filled with scummy bastards, absolute trash human beings who deserve the worst possible fates — sorry, I lost my train of thought for a second — but they are money grubbing capitalist scummy bastards so they will ensure their software works and your data won’t be leaked (though, it most-assuredly will NOT BE deleted) in order to get paid.

But, it appears the ransomware trust paradox may be breaking down. According to multiple reports (and my own observation), despite the number of ransomware attacks generally being up in 2024 and 2025, the percentage of victims who pay a ransom and the size of those ransom payments has decreased. Now, ransomware analysis is never an exact science and other organizations have reported an increase in ransom payments.

Why is it that after all this time victims are starting to wise up to the fact that you can’t trust ransomware groups? I think there are few reasons:

1. The rise of the lone wolf ransomware actor. We are seeing more single ransomware actors who are not part of a group, therefore have not built up that reputation needed for trust.

2. If your data is encrypted, it is increasingly likely the ransomware group-supplied decryptor will not work.

3. Law Enforcement actions are having an impact. I think this has a lot to do with numbers 1 & 2. Big RaaS groups are becoming rarer as they make easy targets for law enforcement. This certainly drives many ransomware affiliates to strike out on their own, creating the conditions for the lone wolf actors and lone wold actors don’t have the resources to tweak and improve their decryptors, leading to number 2. Evidence of a lot of this can be found with the relative success we are seeing with “closed” RaaS groups like Akira and Qilin.

4. The switch to the “data exfitration only” model may be driving some of this as well. In 2025, depending on your view, most ransomware attacks don’t involve encryption only data exfiltration. This is certainly easier for the ransomware groups and can be just as devastating for some victims, but only some. Many organizations view don’t feel the same urgency, or no urgency at all, to pay a ransom after a data leak, simply because there is so much leaked data available, their data is likely to be lost in the see of leaks. This is a very cynical, but accurate, view.

As with any “ransomware trend” things can change on a dime. Ransomware groups are always finding new ways to be scummy bastards and make money. So, I am not saying the ransomware trust paradox is completely dead, but it does seem to be on life support right now.

What do you think?