// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 58 messages exchanged over Unknown.
The initial ransom demand was $300,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/58
> now what?
[Akira] — — Message 2/58
>
Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization?
[Victim] — — Message 3/58
> you took data? what, like you took files?
[Akira] — — Message 4/58
> list.rar // 375 KB
[Akira] — — Message 5/58
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
[Victim] — — Message 6/58
> We have to pay too, yes?
[Akira] — — Message 7/58
> Surely.
[Victim] — — Message 8/58
> ok. what is the price? what do we get in return?
[Akira] — — Message 9/58
> After payment you will receive a decryptor for each of your systems and manual on how to use it for particular file/system. You will receive a deletion log which means the raid drives that contained the only copy of your data are fully formatted and erased. You will receive a security report that includes information about how we were able to penitrate your network, as well as exclusive first-hand information about the state of your network, the vulnerabilities that we found. What's more, you'll receive high-quality technical recommendations on eliminating any vulnerabilities and strengthening your network to secure your internal and external infrastructure. You will also receive written guarantees that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again.
I will let you know the price shortly, we're reviewing your financial papers to come up with a reasonable demand to you.
[Akira] — — Message 10/58
> So, we've gone through your files to define your financial abilities. We're willing to set a $300,000 price for ALL the services we offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts.
[Victim] — — Message 11/58
> ANy chance you would share the password for our VCenter? We fear the hardware has now been damaged
[Akira] — — Message 12/58
> We didn't change the password for your VCenter.
[Victim] — — Message 13/58
> well.. our creds do not work.. something is broke
[Akira] — — Message 14/58
> Your VСenter was in the quality of a virtual machine on one of the ESXi server. All VMs on this ESXi have been encrypted so you can't login to your VCenter. After payment you will be able to access to any of your data/servers.
[Victim] — — Message 15/58
> so the host password was changed?
[Victim] — — Message 16/58
> VMs are encrypted or deleted?
[Akira] — — Message 17/58
> Encrypted for sure.
[Akira] — — Message 18/58
> The host password was changed, correct. You will get the pass after payment.
[Victim] — — Message 19/58
> we need to know if the VMs are intact before we pay please...thus need limited access to the host
[Akira] — — Message 20/58
> We can't provide, sorry. All we can offer you is to choose 2-3 encrypted files and upoad them to our chat so we can will upload decrypted copies back for you to be calm.
[Victim] — — Message 21/58
> OK, Im not sure we will want to pay anything if we cant validate that the VMs are just encrypted vs. deleted or harmed in some other way. thanks
[Victim] — — Message 22/58
> [redacted].jpg
[Victim] — — Message 23/58
> [redacted]
[Victim] — — Message 24/58
> [redacted].docx
[Akira] — — Message 25/58
> We will provide these files soon. Also will you upload files for decryption?
[Akira] — — Message 26/58
> [redacted]files.rar // 1.28 MB
[Victim] — — Message 27/58
> what is the breakdown of pricing for the services--if we decide to pay?
[Akira] — — Message 28/58
> Full decryption assistance costs 150k in your case, the evidence of data removal is 125k and the security report is 25k. All the guarantees are coming as a default.
[Victim] — — Message 29/58
> ok
[Akira] — — Message 30/58
> We need your decision.
[Akira] — — Message 31/58
> We will put your name on our blog today.
[Victim] — — Message 32/58
> as part of the local government, these decisions take everyone getting involved. This means things move slow
[Akira] — — Message 33/58
> So everyone involved needs to hurry up. We won't wait long.
[Victim] — — Message 34/58
> What is your best price ?
[Akira] — — Message 35/58
> For the whole deal?
[Victim] — — Message 36/58
> yes. we are interested in the whole deal.
[Akira] — — Message 37/58
> We would accept $250,000.
[Victim] — — Message 38/58
> OK. i will share your offer with the board tonight or in the AM. Thanks
[Akira] — — Message 39/58
> Hurry up on your part please.
[Victim] — — Message 40/58
> Our board is at this level of approval: $137,000 - Monies over this amount have other local regulatory hurdles.
[Akira] — — Message 41/58
> We will discuss internally.
[Akira] — — Message 42/58
> The management has decided to accept your offer. I will provide you with a btc wallet ID shortly.
[Akira] — — Message 43/58
> Here it is: [redacted]
We expect to get payment within next 24 hours.
[Victim] — — Message 44/58
> 24 hrs. yikes! we will do our best. thanks
[Akira] — — Message 45/58
> We believe in you.
[Victim] — — Message 46/58
> They said Monday is the soonest they can pay.
[Akira] — — Message 47/58
> We will wait.
[Akira] — — Message 48/58
> It is already Tuesday. If we don't receive payment within 24 hours, you will see your name in our blog. Your data will be uploaded before the weekend this way.
[Akira] — — Message 49/58
> You can find yourself in our news column: [REDACTED URL] If you want this post to be removed, we have to agree at something.
[Victim] — — Message 50/58
> We cant gather funds as quickly as you like. Now that you have let evryone know it will be even more dificult to get funds. Why did you do this???
[Akira] — — Message 51/58
> We can't read your thoughts. You left us almost 10 days ago and haven't dropped a word. Hurry up on your end. The post will be taken down immediately after payment.
[Victim] — — Message 52/58
> Is the btc wallet still good to use?
[Akira] — — Message 53/58
> Hello. Sure, you can use it.
[Akira] — — Message 54/58
> When will we see the transfer? We won't be waiting for another week. We either publish your data prior to weekend or receive the payment and get this over.
[Victim] — — Message 55/58
> whee is the best/proper place to purchase bitcoin?
[Akira] — — Message 56/58
> C'mon guys. If you really wanted to pay, you would have done so a couple of weeks ago. Don't waste our time, please leave this chat. We absolutely do not care about this modest amount, so your data will be published soon.
[Victim] — — Message 57/58
> where
[Akira] — — Message 58/58
> You will know.