// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 72 messages exchanged over Unknown.
The initial ransom demand was $250,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Akira] — — Message 1/72
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization?
[Akira] — — Message 2/72
> list.txt.7z // 3.97 MB
[Akira] — — Message 3/72
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
[Akira] — — Message 4/72
> Please let us know whether you are interested in keeping the incident confidential. Your silence will be evaluated as a negative response.
[Akira] — — Message 5/72
> You can find yourself in our news column: [REDACTED URL] If you want this post to be removed, we have to agree at something.
[Victim] — — Message 6/72
> We found your note on our computers. What do we do next?
[Akira] — — Message 7/72
> Hello. Can you see messages above?
[Victim] — — Message 8/72
> Yes. We have downloaded the list and are reviewing it now. If we are going to come to an agreement, please remove our name from your website.
[Akira] — — Message 9/72
> The post will be taken down after payment.
[Victim] — — Message 10/72
> Please send back the following files: D:\[redacted].com\unpacked\T_Drive\Citrix\Applications\CommuniCap\[redacted]\WordDocs\[redacted]letter.doc D:\[redacted].com\unpacked\T_Drive\clients\[redacted]\Client\Archive\[redacted].xls D:\[redacted].com\unpacked\T_Drive\Images\[redacted]\Client\[redacted].pdf
[Akira] — — Message 11/72
> [redacted].pdf // 1.66 MB
[Akira] — — Message 12/72
> [redacted]letter.doc // 21.4 KB
[Akira] — — Message 13/72
> [redacted].xls // 26.4 KB
[Akira] — — Message 14/72
> Here are the files. Do you want to give us some files for a test decryption or we can move to payment details?
[Akira] — — Message 15/72
> Hello. Let us know if you are interested in this deal. If you don't answer us today, we will have to move to your data uploading to our blog.
[Victim] — — Message 16/72
> We are working on getting the sample files now. We want to resolve this with you and keep everything confidential, but we don’t know how this works. How much to resolve this?
[Akira] — — Message 17/72
> I will let you know shortly.
[Akira] — — Message 18/72
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $250,000 price for ALL the services we offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Akira] — — Message 19/72
> So, where the files?
[Akira] — — Message 20/72
> Hello. We will upload your data to our blog if we don't hear back from you by Monday.
[Victim] — — Message 21/72
> Thank you for your patience while we tried to get files to send. Can you decrypt these?
[Victim] — — Message 22/72
> akira files.zip // 16.1 KB
[Akira] — — Message 23/72
> We will upload them later.
[Akira] — — Message 24/72
> [redacted].msc // 65.7 KB
[Akira] — — Message 25/72
> [redacted].ps1 // 601 Bytes
[Akira] — — Message 26/72
> [redacted].ps1 // 915 Bytes
[Akira] — — Message 27/72
> [redacted].bat // 49 Bytes
[Akira] — — Message 28/72
> The files are decrypted. We need to move to payment details.
[Victim] — — Message 29/72
> Thank you for the files. We are reviewing our decryption needs and will reply soon.
[Akira] — — Message 30/72
> We are waiting for your reply today.
[Akira] — — Message 31/72
> Guys, your 600GB of data will be published soon, in case we don't have a reply from you within 12 hours.
[Victim] — — Message 32/72
> Providing you an update that we are still here and working to get you an answer. Please stand by.
[Akira] — — Message 33/72
> We hope so. We won't wait two more days.
[Akira] — — Message 34/72
> So what's your decision? We're almost done with uploading.
[Victim] — — Message 35/72
> Leadership has met, and we would like to explore negotiations and coming to an agreement on an amount. We are a small, private business and $250,000 is not a feasible amount for us to pay. We have very little capital, and we operate on loaned funds. Can you please bring your amount down somewhere closer to 5 digits? Our leadership is willing to pay.
[Akira] — — Message 36/72
> Please stop trying to fool us. Your business able to pays the sum we ask. Show us an offer more than 5 digits and we will be able to settle this. We can move towards you and come down to $200,000.
[Victim] — — Message 37/72
> We appreciate your willingness to negotiate, and we want to be clear that we are not trying to fool you. Any and all funds in our accounts have been borrowewd and is already expensed, meaning it does not belong to us. We would like to offer $90.000 based on what we believe we are able to pull together. We know this is lower than you expect, and please know we are truly doing our best to survive here. If we can pay this relatively quickly, would you accept this amount?
[Akira] — — Message 38/72
> We need 6 figure proposal from you to finalize the deal. We're willing to accept 170,000 for the data we hold.
[Victim] — — Message 39/72
> Thank you again for your continued willingness to work with us and understanding of our situation. 6-figures is difficult for us for the reasons we mentioned before. Let us see what we can do and we will provide you an update tomorrow or Tuesday. Can you confirm again what we receive if we pay you?
[Akira] — — Message 40/72
> Once we agree on a price and receive payment, you will receive:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
[Akira] — — Message 41/72
>
[Akira] — — Message 42/72
> Standing by for a decent proposal on your part.
[Victim] — — Message 43/72
> Our leadership met as a team over the weekend. They worked through all our options and were able to find $105,468. They have leveraged everything we have as a company. Please accept our offer, so that we can all move forward.
[Akira] — — Message 44/72
> Hello. We're willing to accept $110,000 as a final. Here is the BTC wallet ID for payment: [redacted]
[Victim] — — Message 45/72
> Thank you for your consideration. Our leadership is discussing now.
[Akira] — — Message 46/72
> Any progress?
[Akira] — — Message 47/72
> Well, your discussions take so much time. I am preparing your files for uploading to our blog. Tomorrow your data will be available for downloading.
[Victim] — — Message 48/72
> We agree to pay the $110,000 to wallet [redacted], but we need time to get the funds together and bitcoin purchased. We would also like assurance that we will receive the following:
[Victim] — — Message 49/72
> • Universal decryption tool and full decryption assistance.
[Victim] — — Message 50/72
> • Evidence that you destroyed all copies of our data.
[Victim] — — Message 51/72
> • Detailed security report about how you compromised our systems.
[Victim] — — Message 52/72
> • Removal of our name from your website and guarantee not to publish or sell data.
[Victim] — — Message 53/72
> • Guarantees not to attack us in the future.
[Akira] — — Message 54/72
> You will surely receive everything you stated above. When can we expect the transfer?
[Victim] — — Message 55/72
> We are heading into the weekend and need to work with our banks to get the funds. We can make the payment by early next week.
[Akira] — — Message 56/72
> Ok. We can wait until Monday. Update me on your steps.
[Akira] — — Message 57/72
> Any updates?
[Victim] — — Message 58/72
> Thank you for reaching out. We had some issues today with getting the money released by our bank. We fully intend to follow through with payment, but may need another day.
[Akira] — — Message 59/72
> You have 24 hours to sort this out. Otherwise, we will be forced to close this case.
[Akira] — — Message 60/72
> Hello. Checking on your status.
[Akira] — — Message 61/72
> We have received 0.00001 BTC. Standing by for the rest.
[Victim] — — Message 62/72
> Thank you. We are working on sending the remaining amount now.
[Victim] — — Message 63/72
> We have sent the payment. Please confirm you have received.
[Akira] — — Message 64/72
> We have received the funds, thank you. Please wait for all the promised materials.
[Akira] — — Message 65/72
> win_unlocker_[redacted].ex_ // 478 KB
[Akira] — — Message 66/72
> logs_erase.rar // 6.99 MB
[Akira] — — Message 67/72
> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.
[Victim] — — Message 68/72
> Please send us instructions on how to use the decryptor.
[Victim] — — Message 69/72
> We have tried running it against some files and it isn't working.
[Akira] — — Message 70/72
> unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
[Victim] — — Message 71/72
> Please take our name off your website.
[Akira] — — Message 72/72
> The post has been removed.