// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 39 messages exchanged over Unknown.
The initial ransom demand was $850,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/39
> Hello, we found notes on our systems and can’t get into our files. The text file said to download this browser and contact someone at this link. What is going on and how do we get our data and systems back up and going?
[Akira] — — Message 2/39
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 3/39
> Yes, I have permission to speak with you from our leadership. Please provide us with the details when you have a chance.
[Akira] — — Message 4/39
> List.rar // 104 KB
[Akira] — — Message 5/39
> These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10 MB each from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 6/39
> We have reviewed the file listing you sent and we'd like to request the following files be sent to us:
[Victim] — — Message 7/39
> D:\DATA\[redacted].com\[redacted].xlsx
[Victim] — — Message 8/39
> D:\DATA\[redacted].com\[redacted].xlsx
[Victim] — — Message 9/39
> D:\DATA\[redacted].com\[redacted].txt
[Akira] — — Message 10/39
> Please wait.
[Akira] — — Message 11/39
> Files.rar // 14.6 KB
[Akira] — — Message 12/39
> Here are the files. Do you want to test our decryption tool?
[Akira] — — Message 13/39
> Are you going to work with us?
[Akira] — — Message 14/39
> You have 24 hours to give us your decision regarding this deal. If you stay silent, we will announce the breach on our blog.
[Victim] — — Message 15/39
> Hello, we are wanting to get this to some sort of resolution, but I don't see where you've even asked for anything yet. Can you provide us with that and please stop sending emails out to employees? We will communicate with you here and only here.
[Akira] — — Message 16/39
> We're willing to set a $850,000 price for ALL the services we offer. We accept payments in BTC. To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL]
[REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. If you need to test our decryption tool, today is the your last chance to provide encrypted files.
[Victim] — — Message 17/39
> Okay, we do not have anywhere near that amount, and our executive team wants to know that you can actually fix our servers and files if we pay you. How do we send you files?
[Akira] — — Message 18/39
> The price is justified. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back.
[Victim] — — Message 19/39
> Okay, the files are attached.
[Victim] — — Message 20/39
> [redacted].xml.akira // 3.67 KB
[Victim] — — Message 21/39
> [redacted].ps1.akira // 805 Bytes
[Victim] — — Message 22/39
> [redacted].txt.akira // 13.9 KB
[Akira] — — Message 23/39
> Please wait.
[Akira] — — Message 24/39
> Decrypted.7z // 5 KB
[Akira] — — Message 25/39
> Here are the files. Are you ready to proceed with payment?
[Victim] — — Message 26/39
> Okay, whats your bottom dollar? We want to move on from this.
[Akira] — — Message 27/39
> We've already provided the price. It is $850,000. Are you interested in the whole deal?
[Victim] — — Message 28/39
> What do you mean by whole deal? We cannot afford anywhere near this 850k amount you’ve asked for. If you have better pricing for various parts of the whole deal, I can take it to our next meeting.
[Akira] — — Message 29/39
> 1) Full decryption assistance $600,000;
2) evidence of data removal $350,000;
3) security report on vulnerabilities we found $35,000;
Guarantees are included to the option 2.
It looks like our negotiations are dragging on. Let us know your decision asap, as we need to close the case.
[Akira] — — Message 30/39
> What's your decision?
[Victim] — — Message 31/39
> Okay, we've set up a board meeting for Monday afternoon. It's the earliest we could get everyone together because of the holiday weekend. We want to work with you to have our data deleted, and ask if that is your best price for that? The 350,000 is a lot of money and we highly doubt the Board will go for that. What is the lowest price you'll accept for our data removal, to make our meeting easier to facilitate.
[Akira] — — Message 32/39
> This is the lowest. Show the list of files to your board. That will force them to make the right decision. Also tell them that the files we took, will be published on darknet, if they refuse to pay what we ask.
[Akira] — — Message 33/39
> Decisions?
[Victim] — — Message 34/39
> Management made it clear during the Board meeting yesterday that 350,000 is way above our threshold to pay. Our CEO is aware of a larger company run by a good friend which had the same issue last year, and the settled for $20,000 for what you call the whole deal. So to just delete our data, the expectation is it shouldn't even be that high. If we could do the whole deal for 20,000, we could probably close it this week - if we could figure out how to buy and send bitcoin.
[Akira] — — Message 35/39
> This friend seems to be trying to eliminate a competitor. We will not accept this offer and will make an announcement of the incident soon. If you receive an advice from another friend, please let us know asap.
[Victim] — — Message 36/39
> You didn’t acknowledge the 20,000 we have on hand to pay you. Will you accept this? Otherwise we need you to work with us, we cannot come anywhere close to the amount you are demanding.
[Akira] — — Message 37/39
> We're not going to discuss 5 figure sums. Don't waste our time.
[Victim] — — Message 38/39
> Well, we do not have funds to get to your number. We need you to work with us in realistic amounts that can be achieved. If you actually want to reach an agreement.
[Akira] — — Message 39/39
> $290,000 for the option 2 is the best what we can do. Let us know today, if you are interested. Otherwise, we will have to cancel the deal.