// Ransomware Negotiation Transcript

Akira Ransomware Negotiation — Redacted Organisation

84Messages
UnknownDuration
$2.0MInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 84 messages exchanged over Unknown.

The initial ransom demand was $2.0M. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/84
> Hello
[Akira] — — Message 2/84
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization?
[Victim] — — Message 3/84
> yes i do have permission
[Akira] — — Message 4/84
> Ok, thank you. I will get back shortly with more information.
[Victim] — — Message 5/84
> ok, We are here waiting.
[Akira] — — Message 6/84
> We have to inform you that we are experiencing technical issues at the moment. All the details will be provided on Monday the latest. Our deepest apologies. Meanwhile, to prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 7/84
> ok , will get those files for you. what is the amount you are asking?
[Akira] — — Message 8/84
> List.txt // 9.56 MB
[Akira] — — Message 9/84
> This is the list of files of [redacted] company. We are working on transporting files of the rest companies and will provide you with the lists for them soon. We're willing to set a $2,000,000 price for all the services we offer.
[Victim] — — Message 10/84
> ok, thank you.
[Victim] — — Message 11/84
> hi, when can we expect to receive the additional lists?
[Akira] — — Message 12/84
> In a few hours.
[Akira] — — Message 13/84
> [redacted]_full_listing.rar // 1.46 MB
[Akira] — — Message 14/84
> This is everything we hold.
[Akira] — — Message 15/84
> Given the fact that we hold data of two more companies, we've reconsidered the price for the full deal - $2,400,000. Let us know whether you are interested in a test decryption or files for proof. In case of quick payment we can make a discount.
[Victim] — — Message 16/84
> pulling down the listings now. appreciate your patience.
[Akira] — — Message 17/84
> Let us know if you are interested in a test decryption and proof files. Waiting for your answer tomorrow.
[Victim] — — Message 18/84
> ok, we are working on your requests. Please allow us sometime to review the file listing and send requested files.
[Akira] — — Message 19/84
> Please keep in mind that tight cooperation with us often leads to a more positive end of a deal.
[Akira] — — Message 20/84
> We are waiting for your decision today.
[Victim] — — Message 21/84
> We are looking through all the file listings you gave us. We will get you some files soon. appreciate your patience.
[Akira] — — Message 22/84
> Do not forget about files for the test decryption, if you need it.
[Victim] — — Message 23/84
> Definitely apprecaite your patience. My team is highly stressed due to the incident, and are working to get you the files as soon as possible.
[Akira] — — Message 24/84
> Speed things up on your part and nothing bad will happen.
[Victim] — — Message 25/84
> ok noted, will make sure pass this information along to my boss.
[Akira] — — Message 26/84
> If we don't get your decision within next 24 hours, we will be forced to announce your corporate data leak on our blog.
[Victim] — — Message 27/84
> [redacted].edi.[redacted] // 793 Bytes
[Victim] — — Message 28/84
> [redacted].edi.[redacted] // 1.42 KB
[Victim] — — Message 29/84
> [redacted].edi.[redacted] // 23.4 KB
[Victim] — — Message 30/84
> [redacted].csv.[redacted] // 74.8 KB
[Victim] — — Message 31/84
> [redacted].csv.[redacted] // 1.1 KB
[Victim] — — Message 32/84
> Definitely appreciate your patience and working with us. We have almost completed going through the file listing and will provide you files soon. While we finish that, can you please decrypt these files.
[Akira] — — Message 33/84
> Yes, I've passed the files to my tech dept. Please wait.
[Akira] — — Message 34/84
> files.zip // 14.8 KB
[Akira] — — Message 35/84
> Here they are. Please check.
[Victim] — — Message 36/84
> thanks, pulling these down for review. will provide an update when we can.
[Akira] — — Message 37/84
> We have to close the deal this week. Are you in time?
[Victim] — — Message 38/84
> We are working as fast as we can. we really appreciate your patience with us during all of this. After reviewing the file listings can you provide the following files please.
[Victim] — — Message 39/84
> Backlog detail 2021.xlsx, [redacted] Rate 10.24-10.28.22.xlsx, Keywords.xlsx, [redacted] Inspection Log 2023.xlsx, img20230508_[redacted].pdf, [redacted] Tax Codes.pdf, Interest Payment [redacted].pdf, Sales Service Agreement.docx, Annual Refiling Survey [redacted].pdf, [redacted] - Aug Insurance Exp [redacted].xls, [redacted] - Accrue Deprec for [redacted].xls, [redacted] - Clear Obsolete Inventory [redacted].xls, [redacted] - Loss on Sale & Liquidation of Assets [redacted].xls, [redacted].xls, [redacted].PDF, [redacted] Tests.xlsx, [redacted].PDF, [redacted].PDF
[Akira] — — Message 40/84
> Too many files but ok. We will provide shortly. Meanwhile, how's it going with fund gathering?
[Akira] — — Message 41/84
> [redacted].rar // 3.12 MB
[Akira] — — Message 42/84
> You can review the files.
[Victim] — — Message 43/84
> When reviewing the decrypted files you sent back, we noticed that 2 of them are not what we expected to see as they came back with some empty fields. Can you please decrypt the attached files again and send it back to us so we are able to confirm the decryptability. Appreciate you working with us.
[Victim] — — Message 44/84
> [redacted].csv.[redacted] // 74.8 KB
[Victim] — — Message 45/84
> [redacted].csv.[redacted] // 1.1 KB
[Akira] — — Message 46/84
> We will check but we actually have some doubts that they are corrupted. If it is an attempt to win more time, nothing good will happen. Please wait.
[Akira] — — Message 47/84
> The files are ok. In 24 hours we will announce your corporate data leak on your blog. Early next week your data will be published. Thank you.
[Victim] — — Message 48/84
> We are not stalling for time, we are wanting to make sure that the decryption process brings back the data in its entirety. The 2 files we are asking about it appears that it dropped fields off at the end of the files.
[Akira] — — Message 49/84
> I'll ask to double check but bear in mind that we are posting you in our blog tomorrow if there is no payment decision from you.
[Victim] — — Message 50/84
> We had very good backups and only about 1/4 of our data is encrypted now. We have approval to pay you $800k tomorrow for decryptors, proof of data deletion, and security audit report. Leaking our name will make our ability to pay much harder. Please accept so we can put this behind us.
[Akira] — — Message 51/84
> We appreciate this offer but all we can do is to give you 20% discount in such circumstances.
[Akira] — — Message 52/84
> I have very good news. I was talking to the upper management and they are willing to accept $1,4M today for all the outlined options. On Monday we will have to return to our previous demand. Do we have a deal now?
[Akira] — — Message 53/84
> So, I passed your request regarding those files to the tech department. After decryption these same files were increased in size and then re-encrypted. After decryption, the files remained the same size, which means that our decryptor absolutely works correctly. It also means that you tried to play unfairly and gain more time. We also doubt your stories about "good backups". Based on all of the above, our offer of $1.4 million when paid today still stands, but we will not accept anything below $2 million on Monday. If you refuse and break the deal, we will simply publish your stuff and forget about you.
[Victim] — — Message 54/84
> Thank you so much for working with us. In good faith we are going to reveal to you that we only have $1,000,000 to work with. We can pay you all of that today. To get any more will be very hard and take many more days. Please accept $1 million and we will get that to you today
[Akira] — — Message 55/84
> Please wait.
[Akira] — — Message 56/84
> Ok, the leadership has approved that number. Here is a BTC wallet ID for payment: [redacted]
[Akira] — — Message 57/84
> How soon are you able to make a transfer?
[Victim] — — Message 58/84
> We are wiring the money to a broker now. They say a couple hours
[Akira] — — Message 59/84
> Ok, standing by.
[Victim] — — Message 60/84
> To confirm we pay you $1,000,000, and you will deliver whole network decryptors for linux, and windows, promise to not publish or sell our data, provide proof of deletion, and a security audit report?
[Akira] — — Message 61/84
> We do confirm the terms.
[Victim] — — Message 62/84
> and guarantees not to attack us in the future
[Akira] — — Message 63/84
> Sure.
[Victim] — — Message 64/84
> thank you. sending bitcoin shortly
[Akira] — — Message 65/84
> Standing by.
[Victim] — — Message 66/84
> We just sent a test transaction. Please verify and we will send the rest
[Victim] — — Message 67/84
> Test transaction confirmed on blockchain. Please verify
[Victim] — — Message 68/84
> Hello?
[Victim] — — Message 69/84
> We will be back in east coast usa morning to send you the rest
[Akira] — — Message 70/84
> Hello. We have received 0.0001 BTC.
[Victim] — — Message 71/84
> Thank you. Are you ready to receive the rest?
[Victim] — — Message 72/84
> sending the rest
[Victim] — — Message 73/84
> Coin sent. Txid: [redacted]
[Akira] — — Message 74/84
> We have received, thank you. Please wait for the decryptor first.
[Akira] — — Message 75/84
> We will provide everything within 24 hours. Thank you for your patience.
[Victim] — — Message 76/84
> Thank you for update. We will continue to nervously wait
[Victim] — — Message 77/84
> Just checking. Please provide what you promised soon
[Akira] — — Message 78/84
> decrypt.zip // 479 KB
[Akira] — — Message 79/84
> decrypt.exe Name: decrypt Usage: cli args Flags: --path : Start path --secret : Private key --logs : Print logs. Valid values for: trace, debug, error, info, warn. Default: off -h, --help : Show help ----------------------------------------------------------- Build information: Version: 2023.9.5 SECRET KEY: "[redacted]" ----------------------------------------------------------- decrypt.exe --path --secret : Private key --logs ---- decrypt.exe --path C:\ --secret [redacted] --logs trace decrypt.exe --secret [redacted] --logs trace
[Victim] — — Message 80/84
> thank you we are working on this now. can you provide a security report or how you got in and what we need to do better?
[Akira] — — Message 81/84
> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer. 2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources. 3. Install 2FA wherever possible. 4. Use the latest versions of operating systems, as they are less vulnerable to attacks. 5. Update all software versions. 6. Use antivirus solutions and traffic monitoring tools. 7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one. 8. Use backup software with cloud storage which supports a token key. 9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security. The evidence of data removal will be provided soon.
[Victim] — — Message 82/84
> Thank you. We wait for proof of deletion.
[Akira] — — Message 83/84
> [redacted] dellogs.rar // 524 KB
[Akira] — — Message 84/84
> There are three files in the archive.
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →