Akira Ransomware Negotiation — Redacted Organisation

> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

> list.txt // 208 KB

> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

> Wait a bit.

> So, we've gone through your files to define your financial abilities. We're willing to set a $275,000 price for ALL the services we offer.

> Show me what do you have now and I'll talk to my team.

> We won't be able to settle this at 50k. I think the best we can offer is a 50k discount but I need to talk to my team. We work with 6 figures only.

> $175,000 and we will get this over. We can't go any lower. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 mb each to our chat and we will upload decrypted copies back.

> Guys, first of all, 100k discount seems huge enough. Secondly, we've set a fair price initially, so you can handle that with no problem. Let 175k be the final number since this way both of us are satisfied.

> The discount is available till Saturday.

> We accept payments in bitcoins. To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL] [REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only.

> Let me know when you are ready and I'll provide our wallet id.

> This is the complete list. We have about 2gb of data. The files will be provided shortly.

> Make everything ready by Tuesday. We'll close the deal.

> files.rar // 711 KB

> You can review the files.

> I'll upload them decrypted soon.

> decrypted.zip // 9.88 KB

> You can check the files.

> We see your intentions to resolve this so we can accept $150,000 and close the deal. There is a little gap between us and I think there shouldn't be a problem for you. Here is our BTC wallet [redacted]. Let me know how soon can we expect the transfer.

> ok you can send $140k to the same wallet from my previous message. How soon can we expect the transfer?

> We confirm the terms and the wallet id [redacted]

> Received. Please wait.

> unlocker.7z // 1.77 MB

> unlocker.exe -p="path_to_unlock" unlocker.exe -s="C:\paths.txt" where "paths.txt" is a list of paths for the decryptor, each path on a new line ESXi commands 1) chmod +x unlocker 2) ./unlocker -p="/vmfs/volumes"

> You will receive the rest within 24 hours.

> Yes. Please wait.

> I'll pass this to my team. Pleas wait.

> net user [redacted] [redacted] /dom net user [redacted] [redacted] /dom

> You will receive it within next 24 hours. Sorry for delay.

> log_erase [redacted].txt // 2.06 KB

> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer. 2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources. 3. Install 2FA wherever possible. 4. Use the latest versions of operating systems, as they are less vulnerable to attacks. 5. Update all software versions. 6. Use antivirus solutions and traffic monitoring tools. 7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one. 8. Use backup software with cloud storage which supports a token key. 9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We guarantee that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.