How would they get their data back if someone theoretically knows how to decrypt but never tells anyone.

I can’t remember the example (it was a conference talk a few years ago), but I’m pretty sure there’s LE and DFIR companies who also reverse this stuff and assist in recovery, they just don’t publish the actual flaws exploited to recover the data.

Key being generated insecurely is hacking crypto systems 101. The mere fact someone can reverse it probably means this is the first thing to check.

It was already disclosed to the bad guys that someone managed to break their encryption, when they didn't get paid and they saw that the customer had somehow managed to recover their data. That probably meant they might go looking for weaknesses, or modify their encryption, even without this note.

Other victims whose data were encrypted by the same malware (before any updates) could benefit from this disclosure to try to recover their data.