// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 40 messages exchanged over Unknown.
The initial ransom demand was $350,000. The victim refused to pay.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/40
> [redacted]
[Akira] — — Message 2/40
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 3/40
> Yes
[Akira] — — Message 4/40
> Wait a bit.
[Akira] — — Message 5/40
> List.7z // 554 KB
[Akira] — — Message 6/40
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
[Victim] — — Message 7/40
> [redacted].pdf
[Victim] — — Message 8/40
> [redacted].docx
[Victim] — — Message 9/40
> [redacted].docx
[Victim] — — Message 10/40
> Files.zip // 54.1 KB
[Akira] — — Message 11/40
> Passing to my tech dept. Please wait.
[Akira] — — Message 12/40
> decrypted.7z // 22 KB
[Akira] — — Message 13/40
> files.7z // 538 KB
[Akira] — — Message 14/40
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us calculate our demand to you. We're willing to set a $350,000 price for ALL the services we offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 15/40
> We are interesed in parts. Can you detail the price on every service ?
[Akira] — — Message 16/40
> 1) full decryption assistance - $250,000;
2) evidence of data removal - $150,000;
3) security report on vulnerabilities we found - $25,000;
4) guarantees are included to each of the above options.
[Victim] — — Message 17/40
> The amount requested by you is exaggerated. The amount requested by you is half of the company's profit for the whole year. If we refer to the encrypted data, it can be recovered by manually restoring the databases, something that certainly costs less than $250,000 - the cost of total decryption. We are still willing to negotiate, but with a much smaller amount. The maximum we can offer is $50,000, but we cannot pay the amount in full, but in installments, because we cannot legally remove this amount from the accounting. Our proposal is to divide this amount into 10 packages, and you decrypt packages of files for us. We pay in advance for each package.
[Akira] — — Message 18/40
> We will never accept your terms, so we can end this right now. You can go back and forth but we will never be lower than 230k for the full package. The first option is $140,000 and it is the bottom line. We accept payments in full, so you can transfer funds to your broker in parts.
[Victim] — — Message 19/40
> How will we pay ?
[Victim] — — Message 20/40
> what is the bank account ?
[Akira] — — Message 21/40
> We accept payments in bitcoins. Once we agree on the price, I'll provide you our wallet ID.
[Victim] — — Message 22/40
> The board has agreed to a 100.000 euro payment
[Victim] — — Message 23/40
> This is for full decryption
[Victim] — — Message 24/40
> We can do it in one payment
[Akira] — — Message 25/40
> ok. We are ready to close the deal at $120,000. I am pretty sure you can add a bit to your current offer and make a transaction that will satisfy both parties. Here is our BTC wallet [redacted] Please let me know how soon can we expect the transfer.
[Akira] — — Message 26/40
> Hello. Are you going to finish the deal with us?
[Victim] — — Message 27/40
> Hello! We are processing the request with the Financial Department and Legal
[Akira] — — Message 28/40
> How long should we wait?
[Victim] — — Message 29/40
> We have made a test transaction. The board is reluctant to this type of payment. Now we wait for confirmation of the payment.
[Akira] — — Message 30/40
> 0.00430313 received. You can proceed with the full amount.
[Akira] — — Message 31/40
> What's your progress?
[Victim] — — Message 32/40
> Economic department issues
[Akira] — — Message 33/40
> How soon can w eexpect the rest?
[Akira] — — Message 34/40
> I am waiting for an update from you today.
[Victim] — — Message 35/40
> It seems the board is doesn't trust to pay the money
[Akira] — — Message 36/40
> Can you please explain? Are we going to have a deal? You've already sent us the test payment.
[Victim] — — Message 37/40
> The board came to the conclusion that we have no warranty that we will get our data back. The risk of not getting anything vs. the amount that we have to pay.
[Akira] — — Message 38/40
> We've proven that we can decrypt the files and after payment we can give you back the files we took from your network. Our initial demand has been decreased significantly and now you are saying that there is a risk. Did I understand you right that this is your final decision and there will be no deal with you?
[Victim] — — Message 39/40
> I'm sorry. It is not my decision
[Akira] — — Message 40/40
> OK Thanks for the information. We will announce this incident on our blog and your data will be uploaded there as well.