First, the ransomers have every incentive to actually abide by their promise to decrypt. In essence, they're running a business. Whereas in a kidnapping situation, ransoms are high ransomers tend to stay anonymous, and risk is high, with ransomware the monetary amounts involved are low, the ransomers typically conduct their actions under an established pseudonym, and the risk in upholding their side of the bargain is low. If they were to not hold up their end of the bargain and it became known that "LeetSquad" doesn't actually decrypt data, victims would stop paying. This would be a disaster.

Furthermore, while it's correct that a victim who pays signals their ease of being shaken down, again, the economics of the situation work in the victim's favor. These attacks aren't targeted. Given an effectively endless supply of potentially-paying victims, direct targeting is unnecessary, wasted effort. And again, risk of reputational damage is high. For evidence, look no further than this FBI recommendation!

For further evidence, consider the fact that in practice, these groups overwhelmingly keep their promises and don't appear to specifically re-target previous victims. They even, no joke, have online support staff who will work with you in the event of difficulties unlocking your data!

I had the idea once that one way to combat these groups would be to run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run, and that they'll just come after you again. Even if it isn't true, a successful campaign might do some serious damage to their profit margins.