// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 53 messages exchanged over Unknown.
The initial ransom demand was $400,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/53
> Hi we received your readme file. This is a shock to us, what do we do next? Can you help us?
[Akira] — — Message 2/53
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 3/53
> yes i am authorized to negotiate with you
[Akira] — — Message 4/53
> list.txt // 640 KB
[Akira] — — Message 5/53
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Akira] — — Message 6/53
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us calculate our demand to you. We're willing to set a $400,000 price for ALL the services we offer.
[Victim] — — Message 7/53
> Hi please show proof of life for the following files: [redacted].pdf, [redacted].docx, [redacted].docx, [redacted].xlsx
[Akira] — — Message 8/53
> Please wait.
[Akira] — — Message 9/53
> files.rar // 207 KB
[Akira] — — Message 10/53
> Please review the files. If you need to test our decryption tool, give me 2-3 encrypted files asap.
[Victim] — — Message 11/53
> [redacted].eps.akira // 5.46 MB
[Victim] — — Message 12/53
> [redacted].pdf.akira // 2.08 MB
[Victim] — — Message 13/53
> We have reveiwed the files. Thank you for providing those. Here are some files to show proof of decryption. Thanks
[Victim] — — Message 14/53
> [redacted].pdf.akira // 421 KB
[Victim] — — Message 15/53
> [redacted].png.akira // 4.02 MB
[Akira] — — Message 16/53
> Please wait.
[Akira] — — Message 17/53
> decrypted.7z // 7.67 MB
[Akira] — — Message 18/53
> As for the third file, we have a question. Did you stop the encryption process?
[Victim] — — Message 19/53
> Yes we did. Honestly we freaked out when we saw this kick off and just shut everything down. Is that going to be a problem?
[Akira] — — Message 20/53
> Some files less than 2 mb might be damaged.
[Victim] — — Message 21/53
> We have carefully reviewed the services you offer, but we have some concerns about limitations related to the decryption of some of our files. We have a very complex database that was on one of our servers, when we took it offline during the encryption process. Now, some of the subfiles of this database are of the size that you said could be a problem. What guarantees can you give us, that after paying for decryption, these files will be completely accessible and be able to be used without restrictions?
[Akira] — — Message 22/53
> There shouldn't be any troubles with decrypting your files of size 2mb and less. As well as with the rest.
[Akira] — — Message 23/53
> Are we going to have a deal here?
[Victim] — — Message 24/53
> We are open to finalizing a deal. However, as previously discussed, there are significant concerns: Regarding the decryption process and the size of our current files. You have mentioned that you reviewed our files, and clearly noticed we are small family owned business that lacks cyber liability coverage. We have some concerns about the likely success of decryption, based on your most recent attempts to decrypt only three out of four submitted files. Given the decryption issues encountered, we propose a settlement of $105,000 as we are taking considerable risk by relying on a decryption tool that has proven unreliable.
[Akira] — — Message 25/53
> I'll get back soon.
[Akira] — — Message 26/53
> Hello. Given the circumstances and your "concerns", we are willing to step forward to close at $350,000, nothing more.
[Victim] — — Message 27/53
> We appreciate your response, yet our "concerns" persist. Post-payment, we're left without any recourse should your service fail to decrypt what has been encrypted. In an effort to push this conversation forward and mitigate our hesitations about proceeding with payment, we require further clarity. Specifically, we need reassurance about your capability to decrypt a critical piece of our infrastructure - a 540GB SQL server 2005 DB file named [redacted].MDF, previously hosted on a 2008R2 SP1 server. This file is crucial to our negotiation. Gaining assurances from your team that we could expect this DB to be decrypted will help us move forward with a decision. Can your team provide a concrete assurance regarding your tools' ability to handle a database file of this magnitude? Furthermore, post-payment, what level of "TechSupport" can we expect to ensure the functionality of your product? Awaiting your detailed response.
[Akira] — — Message 28/53
> I'm pretty confident that you will decrypt everything we've encrypted, with our took, but I will ask my tech guys about assurances as well.
[Victim] — — Message 29/53
> Thankyou
[Akira] — — Message 30/53
> Well, I got assurance from my tech dept that all of your encrypted files including huge SQL server and DBs will be successfully decrypted. If you face any problems during decryption process, we will be here to support 24/7. After payment you will receive decryptors and commands how to run them. We've already decrypted cases where encryption process was interrupted. We have carefully checked encrypted files you gave us for test and are sure there won;t be any problems.
[Akira] — — Message 31/53
> We're not interested in deceiving you since it will impact our reputation we honor.
[Victim] — — Message 32/53
> We have been discussing your services and after your assurances we feel a lot better with moving forward with an agreement. We can gather and access 208K within the next 24 hours and pay. Please work with us here. We do not have a cyber insurance policy to pull funds from, and this is out of pocket cash we have to access. We appreciate that your team will stand behind your service as you value your reputation.
[Akira] — — Message 33/53
> In our turn we appreciate your willingness to end this with us but $208k won't resolve the incident. My team is ready to accept $300,000 for the deal this week. This is our final offer. Let us get this over. Here is our BTC wallet [redacted]
[Akira] — — Message 34/53
> Waiting for your reply guys.
[Victim] — — Message 35/53
> Thank you for working with us on this incident. Please take $271,818.13 in BTC to your wallet and let's put the matter behind us. We can all go into our weekend feeling like we worked on this problem together and enjoy life. As soon as you agree, we will start working on getting the BTC setup and send it to you.
[Akira] — — Message 36/53
> I'll let you know soon.
[Akira] — — Message 37/53
> Guys, we both know that you are able to close this at $300,000. We've decreased our demand significantly so let's end this at $300k and get this over. I'll wait for a message from you asap.
[Akira] — — Message 38/53
> Hello. We are waiting for a message from you.
[Victim] — — Message 39/53
> I am sitting here waiting for final approval from my boss. please give me a couple of minutes
[Akira] — — Message 40/53
> Waiting.
[Victim] — — Message 41/53
> We will move forward with the 300k payment. We need to be sure that your team will provide the decryption key ASAP and be available to assist with decryption throughout this weekend and for as soon as our files remain encrypted, You will provide the report on what you found vulnerable in our environment, Promise to never attack us again, provide proof of deletion of our files as well as your assurance that our data including that of our clients will not be sold or shared or published, and finally never mention your attack against us to any other person or organization. If we are in agreement we will purchase the bitcoin and provide an initial payment of a small amount to confirm that you received and then make a full payment.
[Akira] — — Message 42/53
> Great. We confirm the terms. Decryptors are ready. The wallet is above. Let me know when you make a test transaction.
[Victim] — — Message 43/53
> Hi friends. First payment on its way. Hash: [redacted]
[Victim] — — Message 44/53
> Are you able to confirm reciept?
[Akira] — — Message 45/53
> 0.0000387 Received.
[Victim] — — Message 46/53
> Full Payment is on the way, here is that Hash ID: [redacted]
[Akira] — — Message 47/53
> Checking. Please wait.
[Akira] — — Message 48/53
> Received.
[Akira] — — Message 49/53
> unlocker.7z // 1.77 MB
[Akira] — — Message 50/53
> unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
ESXi commands
1) chmod +x unlocker
2) ./unlocker -p="/vmfs/volumes"
[Victim] — — Message 51/53
> Brilliant. That worked for the most part and our team is going to troubleshoot the remaining systems. As for the Vulnerablity report and proof of deletion?
[Akira] — — Message 52/53
> Deletion.7z // 128 KB
[Akira] — — Message 53/53
> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.