// Ransomware Negotiation Transcript

Akira Ransomware Negotiation — Redacted Organisation

34Messages
UnknownDuration
$400,000Initial Demand
PaidOutcome
// Context

About This Negotiation

This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 34 messages exchanged over Unknown.

The initial ransom demand was $400,000. The negotiation resulted in a confirmed payment.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/34
> Hello, we found your note
[Akira] — — Message 2/34
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 3/34
> yes
[Akira] — — Message 4/34
> List.7z // 346 KB
[Akira] — — Message 5/34
> These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10mb size from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10mb size to our chat and we will upload decrypted copies back.
[Victim] — — Message 6/34
> Directory of C:\DATA\[redacted].doc Directory of C:\DATA\[redacted].xlsx Directory of C:\DATA\[redacted].doc Directory of C:\DATA\[redacted].xls Directory of C:\DATA\[redacted].xlsx
[Akira] — — Message 7/34
> files (7).rar // 1.5 MB
[Akira] — — Message 8/34
> Please review the files. Do you want to test our tool?
[Victim] — — Message 9/34
> Can you please decrypt these files for us?
[Victim] — — Message 10/34
> files.rar // 5.1 MB
[Akira] — — Message 11/34
> The archive is corrupted. Please reupload asap.
[Victim] — — Message 12/34
> files.rar // 5.1 MB
[Akira] — — Message 13/34
> Same thing. Could you please upload the files one at a time?
[Akira] — — Message 14/34
> We are waiting for the files today.
[Victim] — — Message 15/34
> [redacted].ini.akira // 82.3 KB
[Victim] — — Message 16/34
> [redacted].ocx.akira // 830 KB
[Victim] — — Message 17/34
> [redacted].DAT.akira // 587 KB
[Victim] — — Message 18/34
> [redacted].VD7.akira // 2.76 MB
[Victim] — — Message 19/34
> [redacted].mdb.akira // 4.09 MB
[Akira] — — Message 20/34
> decrypted.7z // 4.99 MB
[Akira] — — Message 21/34
> You can review the files.
[Victim] — — Message 22/34
> Thank you for providing us with the decrypted files. How do we go about getting the rest of our files decrypted?
[Akira] — — Message 23/34
> We will give you our decryption tool after payment. You will recover your systems within 24 hours.
[Victim] — — Message 24/34
> How much does the decryption tool cost?
[Akira] — — Message 25/34
> 1) full decryption assistance $275,000; 2) evidence of data removal $200,000; 3) security report on vulnerabilities we found $35,000; Guarantees are included. The full deal is $400,000.
[Victim] — — Message 26/34
> We are interested in the decryption tool and can pay quickly, but we cannot offer what you are asking. What type of discount can you offer to help speed up this process?
[Akira] — — Message 27/34
> Sure. $250,000 if you make payment within 48 hours.
[Victim] — — Message 28/34
> $250,000 for the full deal, correct?
[Akira] — — Message 29/34
> $250,000 is the discounted price for the tool. If you want the full deal and are ready to pay within 48 hours, we can accept $350,000.
[Victim] — — Message 30/34
> Can you please provide instructions for payment
[Akira] — — Message 31/34
> We accept bitcoins. To gain bitcoins you have to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL] [REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. Here is our BTC wallet ID for payment: [redacted]
[Victim] — — Message 32/34
> payment was just sent, can you please confirm
[Akira] — — Message 33/34
> unlockers.7z // 2.1 MB
[Akira] — — Message 34/34
> unlocker.exe -p="path_to_unlock" unlocker.exe -s="C:\paths.txt" where "paths.txt" is a list of paths for the decryptor, each path on a new line ESXi commands 1) chmod +x unlocker 2) ./unlocker -p="/vmfs/volumes"
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →