Akira Ransomware Negotiation — Redacted Organisation

> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

> listing_[redacted].txt // 724 KB

> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price. If we don't get a respond within next 24 hours, we will be forced to announce your corporate data leak on our blog.

> We'll let you know our price for the decryption tool soon.

> We accept payments in bitcoins. To gain bitcoins you have to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL] [REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. We are the ones who can properly decrypt your data and restore your infrastructure in a short period of time. After payment you will receive a decryptor for each of your systems and manual on how to use it for particular file/system. You will be able to restore your infrastructure within 24 hours. If you face any problems during decryption process, we will be here to support. You will receive a security report that includes information about how we were able to penitrate your network, as well as exclusive first-hand information about the state of your network, the vulnerabilities that we found. What's more, you'll receive high-quality technical recommendations on eliminating any vulnerabilities and strengthening your network to secure your internal and external infrastructure. You will also receive written guarantees that we will keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again. Our price is $200,000. Once you confirm the sum, I will drop off our wallet ID.

> For $250,000 we will also delete your data.

> Please wait.

> files.rar // 4.29 MB

> Here are the proof files.

> [redacted].doc // 1.86 MB

> [redacted].pdf // 115 KB

> [redacted].xlsx // 14.2 KB

> Here are the decrypted ones. Ready to move to payment?

> We appreciate your offer but it is far away from a fair deal that we're here trying to reach. As a goodwill, we're willing to accept $200,000 which is capable for you to handle. You're well aware of the financial and reputational consequences in case we fail to agree. Let's be objective.

> I'll discuss with my team and be back here.

> So, we can accept $150,000 as final. We won't go any lower. Here is our BTC wallet [redacted] It's up to you.

> We confirm. I'll provide our BTC wallet soon.

> Here is the wallet: [redacted] How soon should we wait for a transfer? We expect to get payment before the weekend.

> The terms we agreed on are valid before the weekend.

> We're prepared.

> Waiting.

> win_unlocker_[redacted].ex_ // 759 KB

> unlocker.exe -p="path_to_unlock" unlocker.exe -s="C:\paths.txt" where "paths.txt" is a list of paths for the decryptor, each path on a new line

> We've started uploading your data to mega storage. This process will take us 2-3 days approximately.

> See the message above.

> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer. 2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources. 3. Install 2FA wherever possible. 4. Use the latest versions of operating systems, as they are less vulnerable to attacks. 5. Update all software versions. 6. Use antivirus solutions and traffic monitoring tools. 7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one. 8. Use backup software with cloud storage which supports a token key. 9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc.

> mega.nz [redacted]@proton.me w[redacted] archive password: [redacted]

> This file is correct. The downloading was interrupted and this archive was corrupted. We can't do anything with this.

> I've passed it to my team. Please wait.

> Hello. This archive cannot be re-uploaded because it was corrupted while we downloading this FROM your network. We got this archive like this. Sorry for misunderstanding.

> Sure. I'll provide the file within 12 hours.

> Deletion.7z // 87.3 KB

> Apologies for the delay.