Akira Ransomware Negotiation — Redacted Organisation

> Hello

> You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

> Please wait for details.

> List.rar // 1.52 MB

> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.

> Rar password is [redacted]

> We will send you the decryption key but payment first. If you want to test the tool send us a few non-significant files. Please do not complicate things.

> We'll wait. Speed the things up.

> You can give us any encrypted files for a test decryption and ask for any files from the list as a proof.

> Please wait.

> decrypted.7z // 1.14 MB

> Please review.

> Do you need files for proof?

> Give me a few paths to files you want to see from the list. After payment you will get the tool that will decrypt your systems.

> Let's move to payments discussion then. I'll let you know our demand shortly.

> Ok, we will send few random files.

> files.rar // 647 KB

> We can proceed to payment options. I will let you know our demand shortly.

> Wait a bit.

> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $1,700,000 price for ALL the services we offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

> In case you of quick payment, we will be able to consider a discount. We are going to work with 7 figures though.

> Our request is quite possible for a company like yours. We both know this. If you need our decryption services only, we can end this incident at $1,000,000. We won't go lower. This is a good price for getting back to business quick and without troubles.

> What do you have to offer?

> You have 24 hours to give us your decision regarding this deal. If you stay silent, we will announce the breach on our blog.

> We can't and won't wait forever.

> You can find your company name in our news column: [REDACTED URL] If you want this post to be removed, we have to agree on something.

> We will never accept such a small amount. You're offering us 20k against 1M. How do you think we will be able to agree? We will wait a bit more and then will cancel the deal. There is nothing to talk about at the moment.

> Hello. Have you managed to raise a decent amount?

> We are happy that you understand that the situations is serious. We are ready to work with you on the price in order to find a mutually profitable solution. Give us a renewed offer and I'll bring that to my leadership for a discussion.

> The post will be removed after payment only. Give us an update from your boss today please. Thank you.

> We can remove the post after payment only. The faster you act, the sooner the post will be removed.

> There are no cultural differences between us, it's just the way this business works. You were offering us pennies and was warned about publication.

> I still do not see any decent offer from your side. We will take the post down later.

> Standing by.

> Thank you for your offer. We're willing to accept $650,000 and get this over with you.

> We'll wait for your answer today.

> Upload your reports, please. Meanwhile, I was able to get approval for an additional discount. We're ready to close this at $590,000.

> The post has been removed but it might be returned at any second. We hope to come to an agreement within 2-3 days and go our separate ways. We need a decent counter offer from your side to make a final step to finalization.

> Thank you for the report but it seems like a trick, we were waiting for verified signed documents. Anyway, even if it is true, we do not have real picture (your savings, your investments, your net assets etc.). We believe we're asking for a fair amount and are willing to close the deal.

> I simply do not know how to help you. You can sell some of your assets or something but my bosses can't go lower than $350,000.

> Let me know asap.

> We have until Friday to get this over with. Please speed things up on your part.

> We appreciate your efforts to end this with us. The lowest number we can accept for the case is $250,000. Not less. We can give you until Friday to make the payment, since our dialogue is long enough and we need to close the case.

> Yes.

> We need your decision today. To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL] [REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. Once we get payment, we will provide the decryptors for each of your systems immediately.

> We value our reputation and honor all agreements made. You will not find a single case where we have broken an agreement or failed to fulfill any of the clauses. After payment you will receive a decryptor for each of your systems and manual on how to use it for particular file/system. If you face any problems during decryption process, we will be here to support. You will receive a deletion log which means the raid drives that contained the only copy of your data are fully formatted and erased. You will receive a security report that includes information about how we were able to penetrate your network, as well as exclusive first-hand information about the state of your network, the vulnerabilities that we found. What's more, you'll receive high-quality technical recommendations on eliminating any vulnerabilities and strengthening your network to secure your internal and external infrastructure. You will also receive written guarantees that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again.

> We accept BTC only. We expect to get payment before the weekend.

> Come on, mates. If there is no payment by the weekend, we will have to raise the price to $275,000 on Monday. Please speed things up on your part.

> I'll let you know a bit later.

> Are you able to send $225,000 today? If so, we're willing to accept.

> We do have a deal. Here is our BTC wallet [redacted] Let me know when you are ready to make a test transaction.

> 0.016 BTC unconfirmed. You can proceed with the rest.

> We don't mind. Anyway, you will receive everything once we get payment in full.

> 0.57 Received. Proceed please.

> Ok. Keep me posted.

> We have received 2.66385307 BTC in total. Please proceed further.

> The balance is 2.66385307 btc or $169,553 at this moment. So you need to send 55,447. We are waiting. Thank you.

> Received. Please wait.

> unlocker.7z // 1.79 MB

> unlocker.exe -p="path_to_unlock" unlocker.exe -s="C:\paths.txt" where "paths.txt" is a list of paths for the decryptor, each path on a new line ESXi commands 1) chmod +x unlocker 2) ./unlocker -p="/vmfs/volumes"

> We will provide within 24 hours. Thank you for your patience.

> I'll let you know soon.

> Wait a bit.

> There was a little mistake here. Here is the correct unlocker.

> win_unlocker.ex_ // 759 KB

> Let me know if you have troubles.

> Please try this password: [redacted]

> log.rar // 3.45 MB

> Our apologies for delay. The archive pass is: [redacted]

> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer. 2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources. 3. Install 2FA wherever possible. 4. Use the latest versions of operating systems, as they are less vulnerable to attacks. 5. Update all software versions. 6. Use antivirus solutions and traffic monitoring tools. 7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one. 8. Use backup software with cloud storage which supports a token key. 9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We guarantee that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.

> Try this one [redacted]