// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 41 messages exchanged over Unknown.
The initial ransom demand was $300,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/41
> Please confirm this message
[Akira] — — Message 2/41
> Hello
[Akira] — — Message 3/41
> You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 4/41
> Yes I do
[Akira] — — Message 5/41
> Please wait.
[Victim] — — Message 6/41
> Just checking you are still here?
[Akira] — — Message 7/41
> We are. Wait for the details.
[Victim] — — Message 8/41
> Do you have the details yet?
[Akira] — — Message 9/41
> [redacted].rar // 371 KB
[Akira] — — Message 10/41
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 11/41
> We need a few days to look at the list and pick 2-3 files. Ill get back to you on monday
[Akira] — — Message 12/41
> Standing by.
[Akira] — — Message 13/41
> Hello. I am waiting for the files.
[Akira] — — Message 14/41
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $300,000 price for ALL the services we offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price. Atm, we highly recommend that you refer to your cyber insurance to cover our amount quickly minimizing all upcoming risks.
[Victim] — — Message 15/41
> Thank you for this update. I will get you the filenames very soon and we will also discuss the price you have shared
[Akira] — — Message 16/41
> Standing by.
[Victim] — — Message 17/41
> 1. [redacted].pdf 2. [redacted].xlsx 3. [redacted].docx
[Akira] — — Message 18/41
> [redacted].rar // 541 KB
[Victim] — — Message 19/41
> I'll review these today
[Akira] — — Message 20/41
> We have to proceed to payment options.
[Victim] — — Message 21/41
> Ok but first I need to see proof of decryption assistance. I will get you files today
[Akira] — — Message 22/41
> Standing by.
[Victim] — — Message 23/41
> [redacted].xml.akira // 518 KB
[Victim] — — Message 24/41
> [redacted].akira // 749 KB
[Victim] — — Message 25/41
> Here
[Akira] — — Message 26/41
> Please wait.
[Akira] — — Message 27/41
> [redacted] // 748 KB
[Akira] — — Message 28/41
> [redacted].xml // 517 KB
[Victim] — — Message 29/41
> Thanks. Is it expected that the files become 1kb smaller after decryption?
[Akira] — — Message 30/41
> Yes, it is.
[Akira] — — Message 31/41
> Ready to move to payment?
[Victim] — — Message 32/41
> We have no more questions at the moment. We confirm your abilities to recover the data and the details about our files. I am meeting with our boss in the morning to go over our next steps and I will check in with you after that
[Akira] — — Message 33/41
> Waiting for the update.
[Victim] — — Message 34/41
> Here is the update. We have taken note of what is still encrypted and the financial impact of losing it or rebuilding it. I am running the numbers again to confirm but I dont think it amounts to the $300k that was quoted. To discuss payment, we would hope to see a revised quote, if that is something you can provide.
[Akira] — — Message 35/41
> Let me know what sum you see reasonable and I'll discuss it with my team.
[Victim] — — Message 36/41
> I will confirm our assessment with my boss and get back to you after the weekend
[Akira] — — Message 37/41
> Waiting.
[Akira] — — Message 38/41
> so?
[Akira] — — Message 39/41
> You have 24 hours to give us your decision regarding this deal. If you stay silent, we will announce the breach on our blog.
[Akira] — — Message 40/41
> You can find your company name in our news column: akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion If you want this post to be removed, we have to agree on something.
[Akira] — — Message 41/41
> Your data will be available for downloading soon.