// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 112 messages exchanged over Unknown.
The initial ransom demand was $180,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/112
> Hello, our servers have been locked down and we would kindly ask that you unlock us. We're a small family business and rely on our computers. Thank you.
[Victim] — — Message 2/112
> Hello
[Akira] — — Message 3/112
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 4/112
> Can you tell us what do you expect for unlocking us? We need our servers back. Thank you.
[Victim] — — Message 5/112
> yes I have
[Akira] — — Message 6/112
> [redacted]_lisling.txt // 2.22 MB
[Akira] — — Message 7/112
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 8/112
> We're interested to see the pricing 1,2,3,4,5 to understand.
[Victim] — — Message 9/112
> So whole deal
[Victim] — — Message 10/112
> Hello, can we get offer?
[Akira] — — Message 11/112
> Sure. Wait a bit.
[Akira] — — Message 12/112
> The full package will cost you $180,000 where the full decryption assistance is $100,000, the evidence of data removal is $70,000 and the report is $10,000. All the guarantees are coming as a default.
[Victim] — — Message 13/112
> We beg for lower price. This is huge amount for our company. Can we please get price of several 10k? This is really huge. I beg you on behalf of myself, my family and our employees.
[Victim] — — Message 14/112
> Please
[Akira] — — Message 15/112
> Are you interested in the full package, right? If you're able to arrange payment within next 2-3 days, we will consider a discount but it won't be more than 20%.
[Victim] — — Message 16/112
> We could pay in 2-3 days 40.000 USD for decryption and I would ask that you do not attack us again and remove data.
[Akira] — — Message 17/112
> $140,000 and you will receive all of our services.
[Victim] — — Message 18/112
> I ask you to support us. We are people as you are.
[Victim] — — Message 19/112
> We are not corporation
[Victim] — — Message 20/112
> This is how much we can give now for decryption, that we can recover data and then we negotiate further.
[Akira] — — Message 21/112
> I understand the situation you're in. I don't make decisions here, I'm just a mediator. So, please manage to gather more funds and my bosses will be able to help. We have our internal policy and we can't accept such small amounts. Thank you for understanding.
[Victim] — — Message 22/112
> Plaese
[Akira] — — Message 23/112
> Raise your amount up to 6 figures and we will shake hands.
[Victim] — — Message 24/112
> I would kindly ask for your answer on our last request.
[Victim] — — Message 25/112
> 60.000 USD plis
[Victim] — — Message 26/112
> Plis
[Akira] — — Message 27/112
> $120,000 and we will shake hands.
[Victim] — — Message 28/112
> We can pay 70k maximum. Please, we are a small business, which has to fight everyday for every penny. For us this is shock. Please spare us. Let's find agreement in this reasonable amount.
[Akira] — — Message 29/112
> We highly appreciate your willingness to work with us and see how you value your business but we cannot accept this amount. We've had a meeting as result of which the upper management has decided to take another step towards you and come down to $105,000. Let's just split that difference between you and us and get this over. Once you confirm the sum I will drop off our wallet and we will start preparing all the deliverables.
[Victim] — — Message 30/112
> Hello, we accept 105.000 USD. How do we know we will recieve full package and trust thigs will be settled and we will not be attacked again? Will we recieve full package? How do we pay?
[Akira] — — Message 31/112
> That's good. After we receive the transfer we will provide you with the decryption tool and the rest including our guarantees not to attack you again. You will be provided with our BTC wallet id soon.
[Akira] — — Message 32/112
> Here is the BTC wallet [redacted] Let me know when can we expect the transfer.
[Victim] — — Message 33/112
> I assume this is Bitcoin payment. We don't have Bitcoint account in our company and I am also not using it personally. I have started the procedure of opening account personnally becuase it is much faster than opening for company. I still need to transfer the money from company to my personal account, then to Bitstamp, then to yoiur wallet. I am now waiting from the bank if they can send me money on my personal account as our payment system is encrypted. Then I hope that Bitstamp will proceed fast and that we settle all this today. How long it will last that we get all above after you recieve payment? Thank you.
[Victim] — — Message 34/112
> We would like to be sure that decryption is working. Please can you send us files /home/[redacted].pdf /home/[redacted].pdf /home/[redacted].pdf
[Victim] — — Message 35/112
> Also we would like to be sure that decryption key is working. You encrypted our virtual environment so we dont have access to files only vmdk files. Can we upload vmdk file?
[Akira] — — Message 36/112
> You will receive all the decryptors immediately after payment. Please upload vmdk file. We will provide you with requested files soon as well.
[Victim] — — Message 37/112
> Hello, I am waiting for the money to land on Bitstamp, then I will first transfer 0.01 BTC for you to confirm me that you have recieved. Then the rest (and after test on above files)..
[Victim] — — Message 38/112
> [redacted].vmx.akira // 4.6 KB
[Victim] — — Message 39/112
> [redacted].log.akira // 1.86 MB
[Victim] — — Message 40/112
> vmdk is not possible to upload it's 16 GB
[Akira] — — Message 41/112
> We will decrypt the uploaded file. Please wait.
[Victim] — — Message 42/112
> Hello, when can we expect decrypted files?
[Victim] — — Message 43/112
> We have now transferred our funds to Bitstamp, however they have blocked us due to new account and unusualy high amount and the case is opened there, that we will be able to make payment.
[Victim] — — Message 44/112
> [redacted] - Bitstamp.pdf // 44.3 KB
[Victim] — — Message 45/112
> Hello, we would really ask for soonest resolvment. Please.
[Akira] — — Message 46/112
> Hello. Please be patient with us. We will provide everything shortly.
[Akira] — — Message 47/112
> [redacted].log // 1.86 MB
[Akira] — — Message 48/112
> [redacted].vmx // 4.09 KB
[Victim] — — Message 49/112
> Thank you. Files are ok.
[Victim] — — Message 50/112
> I have opened personal account on Bitstamp and put on the account 105.000 USD. I am now in compliance procedure on Bitstamp due to high transaction amount and we are pushing on them to release the security limits, that we can transfer funds. We will inform you immediatelly.
[Akira] — — Message 51/112
> How's your progress with payment?
[Victim] — — Message 52/112
> I have opened personal account on Bitstamp and put on the account 105.000 USD. I am now in compliance procedure on Bitstamp due to high transaction amount and we are pushing on them to release the compliance limits, that we can transfer funds. We will inform you immediatelly.
[Victim] — — Message 53/112
> [redacted] - Bitstamp.pdf // 44.3 KB
[Victim] — — Message 54/112
> in pdf printscreen from Bitstamp. I hope they solve this asap, that we send payment.
[Akira] — — Message 55/112
> Thank you. Keep us updated please.
[Victim] — — Message 56/112
> I have just got information from some people in slovenian Bitstamp that we can expect answer from compliance department tomorrow.
[Akira] — — Message 57/112
> Ok.
[Victim] — — Message 58/112
> Good morning. I still wait for Bitstamp to open my account for buy BTC and transfer it ...
[Akira] — — Message 59/112
> We are waiting.
[Victim] — — Message 60/112
> Hello, I am unfortunatelly still waiting for Bitstamp to release my trading despite many urgencies. Printscreen in attachement.
[Victim] — — Message 61/112
> Status at Bitstamp.jpg // 85.6 KB
[Akira] — — Message 62/112
> You need to assure them that you use your funds in investment purposes.
[Victim] — — Message 63/112
> Hello, we didn't recieve any response from Bitstamp yet and as I understand my Bitstamp account is under red flag as I put in so big amount of money. We are desparate and our business has started to seriously suffer and orders are being canceled as we can't operate :(. Can you please decrypt us? We will pay anyhow. Can you help us how to pay?
[Akira] — — Message 64/112
> We can't provide anything before payment. I will learn how we can help.
[Akira] — — Message 65/112
> What has Bitstamp support responded?
[Akira] — — Message 66/112
> Could you please give us more details?
[Victim] — — Message 67/112
> They have responded only that they are processing and phone support is saying that it is in compliance department and has been escalated to higher level. We have contacted some people from Bitstamp here in Slovenia to help us accelerate the process there. Hope to get answer asap. I have today opened account also on other exchange and I will try to proceed also there (Swissborg) if Bitstamp doesn't work. Can you help me what are other options?
[Victim] — — Message 68/112
> Status Bitstamp [redacted].jpg // 101 KB
[Akira] — — Message 69/112
> Please wait.
[Akira] — — Message 70/112
> To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL]
[REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. Additionally, maybe this title will help: [REDACTED URL]
[Victim] — — Message 71/112
> Thanks for that info. We have done exactly that with second account on [redacted]. For investment purposes only. I will read your link and I sincerely hope that tomorrow this will be settled.
[Akira] — — Message 72/112
> We hope too. Thank you.
[Victim] — — Message 73/112
> Good morning. Just update. Payment went this morning from my bank to Swissborg. I will keep you informed during day on progress.
[Akira] — — Message 74/112
> Thank you.
[Victim] — — Message 75/112
> Hello. I am providing latest update. Today at 8:45 AM I have paid money to [redacted] bank account in Malta and now I am still waiting that their system processes the payment and that this payment will be shown in my [redacted] app on the phone. They say that it takes 1 to 3 days. Since I have paid by SEPA payment I assume that the money should be visible in the app if not today, latest on Monday. I have checked in advance compliance procedure on [redacted] and I have all documents for compliance ready, so I don't expect any problems with compliance and I will then buy Bitcoins and transfer them to your wallet. Thank you for patience.
[Victim] — — Message 76/112
> If you need some information for proof of above happening let me know. Bitstamp has stolen us two days.
[Akira] — — Message 77/112
> Thank you for update. We're standing by.
[Victim] — — Message 78/112
> Good morning. I am waiting that money comes on crypto account...
[Akira] — — Message 79/112
> Morning. We're waiting too.
[Victim] — — Message 80/112
> Hello. I am desparate to write, I still haven't succedeed to transfer money from my bank account to my [redacted] account. I have sent money on Friday at 8:45 trough [redacted] bank in Slovenia and they sent me confirmation on Friday. Today they have called me that their [redacted] mother bank couldn't send the money to [redacted] account on Malta. I went today at 15:30 in person to [redacted] bank here in Slovenia and they told have made SEPA payment, so I expect that I will have money on [redacted] account tomorrow. I am totally frustrated, because of this, but I can't help. I believ e that money will arrive to this [redacted] account and that I will buy and forward BTC's tomorrow. We really need unlocking here. People inthe company have become totally depressed and me too. We will solve this payment and then really ask for decryting to be made available urgently that we can start decripting immediatelly. Thank you very much in advance.
[Akira] — — Message 81/112
> You will get the decryptors immediately after payment.
[Victim] — — Message 82/112
> Morning. I see money went from my [redacted] bank this morning. Now I wait for it to pop up in my [redacted] app... Keep you informed.
[Victim] — — Message 83/112
> Hello, I have just tested BTC withdrawal for 0,008 BTC from my [redacted] account how it works. Could you please check if you've recieved. On [redacted] I have otherwise only 11.000 EUR monthly limit, so I will still have to wait for [redacted].
[Akira] — — Message 84/112
> Haven't received anything yet.
[Victim] — — Message 85/112
> It took some time. Now I see on blockchain.com that there is 0.008 BTC in above specified wallet [redacted]. Can you recheck?
[Victim] — — Message 86/112
> Can you please check and confirm that you have recieved 0.008 BTC ?
[Akira] — — Message 87/112
> 0.008 BTC received.
[Victim] — — Message 88/112
> Thank you. I am doing everything that you will recieve difference to 105.000 USD within next two hours and will keep you updated. I would really kindly ask that we get this decryptors then as soon as possible that we can start decrypting today. Thank you.
[Akira] — — Message 89/112
> Thank you. We're ready.
[Victim] — — Message 90/112
> Hello, my contact is in GMT+9hrs time, so I wait that he wakes up and transfers. I will be online again around midnight CET time.
[Victim] — — Message 91/112
> Banks are taking too much time.
[Akira] — — Message 92/112
> Got it, thanks.
[Victim] — — Message 93/112
> Hello, just to inform that payment of [redacted] btc has been initiated.
[Victim] — — Message 94/112
> Enclosed you find transaction link
[Victim] — — Message 95/112
> [REDACTED URL]
[Victim] — — Message 96/112
> I would now kindly ask that you provide us as discussed full package: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future.
[Victim] — — Message 97/112
> We will learn from this...
[Akira] — — Message 98/112
> I see. Unconfirmed yet.
[Akira] — — Message 99/112
> unlockers.7z // 1.55 MB
[Akira] — — Message 100/112
> unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
same arguments works with esxi decryptor
[Victim] — — Message 101/112
> Hello, thank you for unlocker. Can we please get instructions how to unlock Vmware platform?
[Akira] — — Message 102/112
> There is a different unlocker for each system.
If it's ESXi - you should use the decryptor for linux.
If we're talking about Windows, you should use the .exe unlocker.
unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
same arguments works with esxi decryptor
[Victim] — — Message 103/112
> Hello, when can we expected of delivary 2) evidence of data removal; 3) security report on vulnerabilities we found;
[Akira] — — Message 104/112
> I will provide in an hour.
[Akira] — — Message 105/112
> [redacted]_dellog.txt // 2.54 MB
[Akira] — — Message 106/112
> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate:
1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc.
We guarantee that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again.
We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.
[Victim] — — Message 107/112
> Thank you!
[Victim] — — Message 108/112
> Is it possible to share what means initial access? Which username (I assume also password) was available on dark web?
[Victim] — — Message 109/112
> At least info on username and if password was also available? Thank you.
[Akira] — — Message 110/112
> It was VPN credentials. We get access from different people on the darknet, this information is not in public domain. We recommend that you change your VPN credentials and reconsider your password policy - there is nothing to worry about anymore.
[Victim] — — Message 111/112
> Thajnk you!
[Akira] — — Message 112/112
> You're welcome.