// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 44 messages exchanged over Unknown.
The initial ransom demand was $750,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Akira] — — Message 1/44
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get your reply you will be provided with all the details.
[Akira] — — Message 2/44
> Are you going to work with us?
[Victim] — — Message 3/44
> yes, have permission and will wait for list of data taken. can you tell us the price in the meantime?
[Akira] — — Message 4/44
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get your reply you will be provided with all the details.
[Victim] — — Message 5/44
> i have permission
[Akira] — — Message 6/44
> List.7z // 119 KB
[Akira] — — Message 7/44
> These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10 MB each from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 8/44
> i want the package
[Akira] — — Message 9/44
> The full package is $750,000. Do you want to test our decryption tool?
[Akira] — — Message 10/44
> You have 24 hours to give us your decision regarding this deal. If you stay silent, we will announce the breach on our blog.
[Victim] — — Message 11/44
> We are reviewing the file list and have a few files we would like you to provide as proof of possession
[Victim] — — Message 12/44
> E:\[redacted].com\unpacked\[redacted].png
[Victim] — — Message 13/44
> E:\[redacted].com\unpacked\[redacted].pdf
[Victim] — — Message 14/44
> Please stop the harrassing emails please
[Akira] — — Message 15/44
> files.rar // 113 KB
[Akira] — — Message 16/44
> If you need to test our tool, send the files today.
[Victim] — — Message 17/44
> We are working on our side to evaluate your proposal
[Akira] — — Message 18/44
> We are waiting for your decision today.
[Akira] — — Message 19/44
> Do you really think we will wait forever?
[Victim] — — Message 20/44
> we are working as fast as we can. Remove item 1 and let's know the update proposal and we will start to move quicker
[Akira] — — Message 21/44
> $400,000 for the options 2-5. We are waiting your reply today.
[Victim] — — Message 22/44
> today and a deal at 72,500. take away item 3 as well.
[Akira] — — Message 23/44
> If you take away item 3, we are decrease the price to $340,000. 5 figure amount cannot be considered. Make a reduction asap.
[Victim] — — Message 24/44
> We appreciate the further discounts, but 340,000 is not reasonable. We are ready to step forward further at your six figure ask of 101,500.
[Akira] — — Message 25/44
> $300,000 if you pay by Monday. Hurry up.
[Victim] — — Message 26/44
> We are ready to hurry up but 300,000 is still a tall number for us.
[Akira] — — Message 27/44
> You still have time. Do your best.
[Victim] — — Message 28/44
> we are working on our end but that number is still to high for consideration. The partners can step forward at 138,500
[Akira] — — Message 29/44
> $285,000 and we close this.
[Victim] — — Message 30/44
> our numbers are still far apart to get to closure. 151,500 and close this
[Akira] — — Message 31/44
> $265,000. Let's end this as we are about to announce the incident.
[Victim] — — Message 32/44
> No need for threats as we are trying to get to an agreeable solution. We are 105,000 apart. What is your solution
[Akira] — — Message 33/44
> The solution is that you gather the rest and we have a deal. We are waiting to end this today.
[Victim] — — Message 34/44
> Gathering the full funds is problematic. But we will make one more step at 169,600
[Akira] — — Message 35/44
> We're willing to take the same step and come down to $240,000. We're losing interest guys.
[Victim] — — Message 36/44
> Can we end this at 201,500 that should make all parties happy
[Akira] — — Message 37/44
> $225,000 will make us all happy. Here is our BTC wallet [redacted]. Let us know when can we expect the transfer.
[Victim] — — Message 38/44
> coin has been sent
[Victim] — — Message 39/44
> please provide us the materials
[Akira] — — Message 40/44
> unlockers.7z // 2.1 MB
[Akira] — — Message 41/44
> unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
ESXi commands
1) chmod +x unlocker
2) ./unlocker -p="/vmfs/volumes"
[Victim] — — Message 42/44
> thank you, received. please let us know when to expect evidence of data removal
[Akira] — — Message 43/44
> Should be provided soon.
[Akira] — — Message 44/44
> Deletion.7z // 69.9 KB