// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 65 messages exchanged over Unknown.
The initial ransom demand was $600,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — — Message 1/65
> hi how much for decryption?
[Akira] — — Message 2/65
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
[Victim] — — Message 3/65
> yes
[Akira] — — Message 4/65
> List.7z // 141 KB
[Akira] — — Message 5/65
> These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10 MB each from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
[Victim] — — Message 6/65
> we need the decryptor. evidence of data removal, and guarantee to not publish or sell data
[Akira] — — Message 7/65
> We will let you know the price soon.
[Akira] — — Message 8/65
> We're willing to set a $600,000 price for ALL the services we offer. We accept payments in BTC. To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: [REDACTED URL]
[REDACTED URL] You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. Do you have any file requests?
[Akira] — — Message 9/65
> Are you going to work with us?
[Victim] — — Message 10/65
> yes. the VMs are encrypted so hard time to get to the file to provide sample.
[Victim] — — Message 11/65
> can we give you a directory and file name and you can provide the file as proof of possession?
[Akira] — — Message 12/65
> Yes, please do asap.
[Victim] — — Message 13/65
> yes, the team is looking at the list to pick out file to show proof of possession.
[Akira] — — Message 14/65
> Any success?
[Victim] — — Message 15/65
> yes, they are sending directories to me soon and i will send to you.
[Victim] — — Message 16/65
> F:\[redacted].com\unpack\[redacted].docx
[Victim] — — Message 17/65
> F:\[redacted].com\unpack\[redacted].pdf
[Victim] — — Message 18/65
> F:\[redacted].com\unpack\[redacted].csv
[Victim] — — Message 19/65
> F:\[redacted].com\unpack\[redacted].html
[Victim] — — Message 20/65
> hello? we are ready to work with you for payment.
[Akira] — — Message 21/65
> files.rar // 214 KB
[Akira] — — Message 22/65
> You can review. Do you want to test our decryption tool before payment?
[Victim] — — Message 23/65
> yes, can we test the decryption tool?
[Akira] — — Message 24/65
> Sure. Provide the files today.
[Akira] — — Message 25/65
> Hello. Have you managed to gather files?
[Victim] — — Message 26/65
> sorry. this site was offline for a while
[Akira] — — Message 27/65
> Now it is on. Where are the files?
[Victim] — — Message 28/65
> how much for just evidence of data deletion and not leaing data?
[Victim] — — Message 29/65
> we will pay
[Akira] — — Message 30/65
> $320,000 for the rest options.
[Victim] — — Message 31/65
> No cyber insurance. Can you work with us? can we do $35,000? We can get you paid today if so.
[Akira] — — Message 32/65
> No. You have to be serious. $35,0000 won't work at all. Please reconsider asap.
[Victim] — — Message 33/65
> yea. just evidence of deletion and not leaking data. what about $95000?
[Akira] — — Message 34/65
> $260,000 if you pay today.
[Victim] — — Message 35/65
> we can do $155,000 today.
[Akira] — — Message 36/65
> $220,000 today. Here is our BTC wallet [redacted]. Let us know when you are ready to make payment.
[Victim] — — Message 37/65
> we can't do 220K. we're already loss of business because you entrypted us and we are shut down. let's get you paid. $160,000 today.
[Akira] — — Message 38/65
> Don't tell us stories. $200,000 is the lowest we can accept. Take it or leave it.
[Victim] — — Message 39/65
> it's the truth but we want this over with. let's meet in the middle at $180k. say yes and we are sending to [redacted]
[Akira] — — Message 40/65
> Guys, we've already reduced the price significantly. $200,000 is the lowest possible.
[Victim] — — Message 41/65
> yes and we appreciate it. let me check to make sure we can do that.
[Victim] — — Message 42/65
> ok. we are buying the BTC to send over.
[Akira] — — Message 43/65
> What's your progress?
[Victim] — — Message 44/65
> we'll have it today. delay with bank. we will let you know when we are sending. we will first send a smaller amount to confirm receipt.
[Akira] — — Message 45/65
> Standing by. Thank you.
[Victim] — — Message 46/65
> still waiting on bank. thank you for your patience
[Akira] — — Message 47/65
> Waiting.
[Victim] — — Message 48/65
> yep we are still waiting on bank transfers to complete
[Akira] — — Message 49/65
> Keep us posted.
[Victim] — — Message 50/65
> will do. still waiting on bank
[Akira] — — Message 51/65
> Any success?
[Victim] — — Message 52/65
> yea, we have the money. purchasing BTC now. can you resend your wallet again? we will send $500 first to make sure you get it. then we will send the rest.
[Victim] — — Message 53/65
> $500 sent to [redacted]. Confirm reciept.
[Akira] — — Message 54/65
> 0.005 received. You can proceed with the full amount.
[Victim] — — Message 55/65
> how will you provide evidence of data deletion?
[Victim] — — Message 56/65
> can with get video evidence of data deletion?
[Akira] — — Message 57/65
> You will receive a deletion log which means the raid drives that contained the only copy of your data are fully formatted and erased.
[Victim] — — Message 58/65
> and guarantee that no data is leaked?
[Akira] — — Message 59/65
> Sure. Guarantees will be provided as well. Are you going to send the rest?
[Victim] — — Message 60/65
> yes, sending now.
[Victim] — — Message 61/65
> the send is under review.
[Victim] — — Message 62/65
> rest of the money has been sent over. please provide deletion logs.
[Akira] — — Message 63/65
> Received. Please wait.
[Akira] — — Message 64/65
> Deletion.7z // 316 KB
[Akira] — — Message 65/65
> Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.