// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 37 messages exchanged over Unknown.
The initial ransom demand was $350,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Akira] — — Message 1/37
> Congratulations, you have passed a surprise information security audit and become a victim of ransomware. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
[Akira] — — Message 2/37
> list.7z // 493 KB
[Akira] — — Message 3/37
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
[Akira] — — Message 4/37
> We're looking through your files to calculate a fair demand to you. I will let you know the sum shortly. We offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Akira] — — Message 5/37
> In case we don't have a response form you, we will have to post your data in our blog.
[Victim] — — Message 6/37
> Hello, we're reviewing the list you sent us now.
[Akira] — — Message 7/37
> Ok. We are waiting for the files request tomorrow.
[Akira] — — Message 8/37
> Hello. Have you review the list?
[Victim] — — Message 9/37
> Hello, we are still reviewing the list at this time but will have those files over to you as soon as we finish. Is this list everything? We want to make sure prior to sending over our requests.
[Akira] — — Message 10/37
> Yes, this is everything.
[Akira] — — Message 11/37
> We're willing to set a $350,000 price for ALL the services we offer.
[Victim] — — Message 12/37
> You advised we could request some files from that list you sent. We would like to request the below: [redacted].xlsx [redacted]-2023.xlsx [redacted]23.docx
[Akira] — — Message 13/37
> [redacted]2023.xlsx // 336 KB
[Akira] — — Message 14/37
> [redacted].xlsx // 15.6 KB
[Akira] — — Message 15/37
> [redacted]23.docx // 1.84 MB
[Akira] — — Message 16/37
> Please review the files.
[Victim] — — Message 17/37
> Okay thank you we are reviewing these. We still need some time to review the entire listing itself and we are a bit worried about your price. I dont think we can afford the 350,000 and theres no guarantee you wont just take the money and run off. How are we supposed to trust this process?
[Akira] — — Message 18/37
> If we receive the payment within next 48 hours, we will provide you with a 20% discount.
After payment you will receive a deletion log which means the raid drives that contained the only copy of your data are fully formatted and erased. There is no need to deceive you since we value our reputation and you will find no case where we didn't honor an agreement.
If we fail to agree, we will not only publish your data but also notify all of your clients, partners, employees and so on. In some cases they will be guided on how to file a claim properly.
You will receive a security report that includes information about how we were able to penitrate your network, as well as exclusive first-hand information about the state of your network, the vulnerabilities that we found. What's more, you'll receive high-quality technical recommendations on eliminating any vulnerabilities and strengthening your network to secure your internal and external infrastructure. You will also receive written guarantees that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again.
[Victim] — — Message 19/37
> We understand and thank you for the information. We're already in the process of trying to find out exactly how much we can offer you, but it won't be close to the price you gave us. We'll update as soon as we can. I know you said you can unlock our files can we send some over to you? We have a few file types we are concerned with.
[Akira] — — Message 20/37
> To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back. Our tool works on every system/file format. As for your upcoming proposal, we haven't talked about any discounts yet, so you're wrong since you have to get as close as possible to our initial demand to get this over. Thank you.
[Victim] — — Message 21/37
> A lot of our files are larger than 10mb, how do we know the decryption will work on those larger files? Also you are mentioning a discount, is this something you can do for us? We will work on getting the files sent over to you but are concerned we cannot sent anything less than 10mb.
[Akira] — — Message 22/37
> You can provide us with one of larger than 10MB. No one is going to deceive you.
[Victim] — — Message 23/37
> Ok thank you, we are working on it. We will upload this once we have it, I just need to discuss with the others which ones we can send.
[Akira] — — Message 24/37
> Please speed things up on your part. No one is interested in dragging this out.
[Victim] — — Message 25/37
> [redacted].dwg // 10.4 MB
[Victim] — — Message 26/37
> [redacted].pdf // 2.39 MB
[Akira] — — Message 27/37
> Please wait for them decrypted.
[Akira] — — Message 28/37
> Please send us the correct files. We do not see any signs of our tool.
[Victim] — — Message 29/37
> These came from the machines you locked and you said this tool was going to work. This is a little concerning, but let me have our IT grab some more files to send you.
[Akira] — — Message 30/37
> My tech dept has checked those files and they're not encrypted, so please send us correct files asap.
[Victim] — — Message 31/37
> Please try what I'm attaching now to the chat
[Victim] — — Message 32/37
> EncryptedSample[redacted].zip // 9.18 MB
[Akira] — — Message 33/37
> We will try.
[Victim] — — Message 34/37
> Just checking out what's going on? Waiting your response.
[Akira] — — Message 35/37
> Please wait.
[Victim] — — Message 36/37
> Hello? Are you still there? We are awaiting the files.
[Akira] — — Message 37/37
> Hello. We're here. I've asked my tech dept about this.