// Ransomware Negotiation Transcript
Akira Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 74 messages exchanged.
The initial ransom demand was $100,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
> hello
> hello
> hello please help ME
> hi
> is somebody there
> we are very small company...
> ??
> ???
> hemlo Mister
> Please helo please help
> is somebody there
> Hello....
> It is our existence... please please help us
> Hello
> mister
> hello
> hellooo
> akira
> team
> helooooo
> akira
> hello
> 😭😭😭😭
> hellooo
> is u there??
> hellooo
> helloooo
> helloooo
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
> yes i am the owner of the company. Its a family business.
> we are a small company with not many people and all my family members work here. you didnt hack a big company. this situation is very bad for us and to be honest we dont have much money because work is not going good.
> PLEASE.....😭😭😭😭
> Wait for details.
> hello sir
> We didn't take your data. We are the ones who can properly decrypt your data and restore your infrastructure in a short period of time.
After payment you will receive a decryptor for each of your systems and manual on how to use it for particular file/system. If you face any problems during decryption process, we will be here to support. You will receive a security report that includes information about how we were able to penetrate your network, as well as exclusive first-hand information about the state of your network, the vulnerabilities that we found. What's more, you'll receive high-quality technical recommendations on eliminating any vulnerabilities and strengthening your network to secure your internal and external infrastructure.
You will also receive written guarantees that we will keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again. The price is $100,000. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back.
> 100,000$ is way too much. We as a family run business dont earn that kind of money. i wish i could pay it but there is no way we can afford that. we have already money problems right now and i can barely pay my employees salaries. you are about to destroy my families and my whole life. why do you attack a small business like us and not a big coorperation? everybody im my office is devistated and some are even crying because of this situation. the only thing i can do is please pay a maximum of 5,000$. i am sorry but i really cant afford more. please do it for my family and hard working honest employees. dont destroy our lives. we all need this company.
> PLEASE .....
> unlocker.7z // 1.24 MB
> unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
ESXi commands
1) chmod +x unlocker
2) ./unlocker -p="/vmfs/volumes"
> thx u very much ✌️✌️✌️✌️✌️
> You are welcome!
> sorry for bothering you but i am trying it the whole time but i cant make it work. can you please explain what i exactly have to do ?
> 😭😭😭😭
> You have instructions. Tell me at what stage you are having troubles.
> thx u very nuch......u are my Angel
> i can not repair the database
> Provide more details. What kind of error did you get?
> 😭😭😭😭😭😭😭😭
> we sqlserver can not attach the database
> is it normal??
> [redacted].jpg // 4.82 MB
> before decode
> before decode
> [redacted].jpg // 5.71 MB
> what gone wrong? PLEASE PLEASE HELP
> we thought the server had hung up and restarted the server. could it possibly be related to this?
> and some files is ending with arika .file
> I have a question because I am trying to fix something the whole time but I can’t. We thought that the server was down so we restarted it. Could it be possible that during that progress some files that started to be encrypted got damaged and can’t be decrypted now ? Because my most important .mdf files don’t work anymore. Could you please assist me ?
> PLEASE
> 😭😭😭😭😪😪😪
> 😭😭😭😭😭
> do u have an idea??
> ??
> Yes, the interruption of decryption process could damage files. Send me logs and I will ask my tech team.
> how u penerate our nrtwork? can u give me info please...
> Initial access to your network was purchased on the dark web.
> how can i find it?
> how it happen?
> access about email, router,client?
> how can i make beter or save?
> Thank you for your answers and patience with us
> Is there a new access, do I understand it correctly?
> You have already get decryptors for free. I've provided you with more than enough info.
> thx 🥰
// Analysis
Analyst Observations
- Akira emerged in March 2023 and quickly became one of the most active ransomware groups, targeting organisations across multiple sectors globally.
- → Akira threat actor profile — TTPs, ransom demands, and active campaigns.