// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 80 messages exchanged over Unknown.
The initial ransom demand was $165,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/80
> I'm here what do you want?
[Victim] — — Message 2/80
> Im here
[Victim] — — Message 3/80
> hey
[Akira] — — Message 4/80
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization?
[Victim] — — Message 5/80
> Yes I can negotiate but dont have to the ability to approve $$ amounts
[Victim] — — Message 6/80
> And I will keep in touch
[Akira] — — Message 7/80
> We will provide all the deal terms during this day. Please be in touch.
[Akira] — — Message 8/80
> list.zip // 2.84 MB
[Akira] — — Message 9/80
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
If we don't get a respond within next 24 hours, we will be forced to announce your corporate data leak on our blog.
[Victim] — — Message 10/80
> I have downloaded the file list and will review it with the team
[Akira] — — Message 11/80
> Meanwhile, we will come up with a fair demand to you.
[Akira] — — Message 12/80
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $165,000 price for ALL the services we offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 13/80
> Thanks for the detail. I'm working on getting those files 2-3 files to decrypt and should have them tomorrow, but I have to travel in the morning but should have them by the time I land Talk to you tomorrw
[Akira] — — Message 14/80
> We're standing by, thanks.
[Victim] — — Message 15/80
> [redacted].txt.akira // 26.8 KB
[Victim] — — Message 16/80
> [redacted].xml.akira // 866 Bytes
[Victim] — — Message 17/80
> Sorry for the delay, here are two files, We are working on identifying file from the list to provide us.
[Akira] — — Message 18/80
> We will upload the decrypted copies soon.
[Akira] — — Message 19/80
> [redacted].txt // 26.3 KB
[Akira] — — Message 20/80
> [redacted].xml // 324 Bytes
[Victim] — — Message 21/80
> Got them thanks, I'll have the files we want soon
[Akira] — — Message 22/80
> Standing by.
[Akira] — — Message 23/80
> How long should we wait?
[Victim] — — Message 24/80
> Capture4.JPG // 33.5 KB
[Victim] — — Message 25/80
> Capture5.JPG // 43 KB
[Victim] — — Message 26/80
> Capture6.JPG // 32.3 KB
[Victim] — — Message 27/80
> Here are three files we would like for you to provide.
[Akira] — — Message 28/80
> We will upload the files shortly.
[Akira] — — Message 29/80
> [redacted] Corporation.pdf // 389 KB
[Akira] — — Message 30/80
> [redacted].pdf // 107 KB
[Akira] — — Message 31/80
> [redacted].pdf // 235 KB
[Akira] — — Message 32/80
> Have you reviewed the files?
[Victim] — — Message 33/80
> I'm downloading them now TY for getting these so quick. Let me get these back to the team.
[Akira] — — Message 34/80
> Let us know when you have reviewed the files and are ready to proceed.
[Victim] — — Message 35/80
> I forgot to mention that today and tomorrow are a major holiday in the US and most of leadership is gone till Wednesday. Some of us like me still have to work but can we pick this up wednesday?
[Akira] — — Message 36/80
> We are well aware of the holiday. Thank you. Yes, you can. But time's ticking.
[Akira] — — Message 37/80
> Hello. We're going to publish your data this week. Thank you.
[Akira] — — Message 38/80
> You can find yourself in our news column: [REDACTED URL] If you want this post to be removed, we have to agree at something.
[Victim] — — Message 39/80
> I see that you did post us on the site, how much time do we have before you publish?
[Victim] — — Message 40/80
> The reason we ask is your demand is too high for us pay
[Akira] — — Message 41/80
> The publishing will take 1-2 days. Have you managed to gather something to offer us?
[Victim] — — Message 42/80
> Are you saying your willing to negotiate a lower price then?
[Akira] — — Message 43/80
> It depends on the amount you can offer us at the moment.
[Victim] — — Message 44/80
> We think we can muster about $23K to $25k in short time.
[Akira] — — Message 45/80
> No way. We won't accept anything lower than $100k.
[Victim] — — Message 46/80
> Hmmm that still to rich for us, let me see what we can counter offer Brb
[Akira] — — Message 47/80
> We are waiting.
[Victim] — — Message 48/80
> Since you posted us on your shame site, you have already caused damage to us and we have ambulance chasers and client calling so we cant put the genie back in the bottle. I counter offer with $38K.
[Akira] — — Message 49/80
> You know our price. What you are offering is unacceptable. If you have no intentions to save your data, we will upload it to our blog.
[Victim] — — Message 50/80
> We must have missed a step, We have no need for your decryptor. But we dont want our data posted either if we can afford it but not at your current demand
[Akira] — — Message 51/80
> I see. We can delete your data for $80,000. Not less. After we are paid, we will provide you with the deletion log file.
[Victim] — — Message 52/80
> We do appreciate your willingness to work with us, we can offer $59K USD. If you agree we can make payment promptly and if you can provide a BTC wallet we can work on getting money moved to pay that wallet
[Akira] — — Message 53/80
> I've discussed with my management. We can accept $75,000. This is final. Do you need our btc wallet?
[Victim] — — Message 54/80
> OK let me confirm with the team brb
[Victim] — — Message 55/80
> Please provide the BTC wallet
[Akira] — — Message 56/80
> We will provide you soon.
[Akira] — — Message 57/80
> Here it is: [redacted]
[Akira] — — Message 58/80
> How soon can you make a transfer?
[Victim] — — Message 59/80
> I have to clear the wallet id to make sure I can pay it so I've been told. Then I can give you a better answer, but were trying for early next week payment
[Akira] — — Message 60/80
> Ok
[Victim] — — Message 61/80
> ok we are getting closer Here is the agreement
[Victim] — — Message 62/80
> We will pay $75,000 to BTC Wallet [redacted] in exchange for taking us off your website, not publish or share our data with anyone, remove any social media reference about us, delete our data and show us proof you deleted the data, identify how you got into our network and never attack us again
[Victim] — — Message 63/80
> You agree?
[Akira] — — Message 64/80
> We do confirm the terms.
[Victim] — — Message 65/80
> Can you confirm payment was made?
[Victim] — — Message 66/80
> Please provide us with what you agrred to and we can complete this deal
[Victim] — — Message 67/80
> I still see us on your shame site
[Akira] — — Message 68/80
> Payment received.
[Akira] — — Message 69/80
> The post deleted.
[Akira] — — Message 70/80
> We will provide you with the report and the deletion log within 24 hours.
[Akira] — — Message 71/80
> Initial access to your network was purchased on the dark web. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security. The deletion log is coming later.
[Victim] — — Message 72/80
> Thanks for this I'll check in later for deletion proof
[Akira] — — Message 73/80
> Sure. We will upload it soon.
[Victim] — — Message 74/80
> Hey Its been several days since we made payment, can we get this completed today?
[Akira] — — Message 75/80
> Hello. I think we can. I'll try to provide you with the log within a few hours.
[Victim] — — Message 76/80
> ok ty
[Akira] — — Message 77/80
> log_erase.7z // 327 KB
[Akira] — — Message 78/80
> Here it is finally!
[Victim] — — Message 79/80
> thanks
[Akira] — — Message 80/80
> You're welcome.