// Ransomware Negotiation Transcript
Akira Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 40 messages exchanged.
The initial ransom demand was $350,000. The victim refused to pay.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
> [redacted]
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
> Yes
> Wait a bit.
> List.7z // 554 KB
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
> [redacted].pdf
> [redacted].docx
> [redacted].docx
> Files.zip // 54.1 KB
> Passing to my tech dept. Please wait.
> decrypted.7z // 22 KB
> files.7z // 538 KB
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us calculate our demand to you. We're willing to set a $350,000 price for ALL the services we offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
> We are interesed in parts. Can you detail the price on every service ?
> 1) full decryption assistance - $250,000;
2) evidence of data removal - $150,000;
3) security report on vulnerabilities we found - $25,000;
4) guarantees are included to each of the above options.
> The amount requested by you is exaggerated. The amount requested by you is half of the company's profit for the whole year. If we refer to the encrypted data, it can be recovered by manually restoring the databases, something that certainly costs less than $250,000 - the cost of total decryption. We are still willing to negotiate, but with a much smaller amount. The maximum we can offer is $50,000, but we cannot pay the amount in full, but in installments, because we cannot legally remove this amount from the accounting. Our proposal is to divide this amount into 10 packages, and you decrypt packages of files for us. We pay in advance for each package.
> We will never accept your terms, so we can end this right now. You can go back and forth but we will never be lower than 230k for the full package. The first option is $140,000 and it is the bottom line. We accept payments in full, so you can transfer funds to your broker in parts.
> How will we pay ?
> what is the bank account ?
> We accept payments in bitcoins. Once we agree on the price, I'll provide you our wallet ID.
> The board has agreed to a 100.000 euro payment
> This is for full decryption
> We can do it in one payment
> ok. We are ready to close the deal at $120,000. I am pretty sure you can add a bit to your current offer and make a transaction that will satisfy both parties. Here is our BTC wallet [redacted] Please let me know how soon can we expect the transfer.
> Hello. Are you going to finish the deal with us?
> Hello! We are processing the request with the Financial Department and Legal
> How long should we wait?
> We have made a test transaction. The board is reluctant to this type of payment. Now we wait for confirmation of the payment.
> 0.00430313 received. You can proceed with the full amount.
> What's your progress?
> Economic department issues
> How soon can w eexpect the rest?
> I am waiting for an update from you today.
> It seems the board is doesn't trust to pay the money
> Can you please explain? Are we going to have a deal? You've already sent us the test payment.
> The board came to the conclusion that we have no warranty that we will get our data back. The risk of not getting anything vs. the amount that we have to pay.
> We've proven that we can decrypt the files and after payment we can give you back the files we took from your network. Our initial demand has been decreased significantly and now you are saying that there is a risk. Did I understand you right that this is your final decision and there will be no deal with you?
> I'm sorry. It is not my decision
> OK Thanks for the information. We will announce this incident on our blog and your data will be uploaded there as well.
// Analysis
Analyst Observations
- The victim explicitly refused to pay. This is a definitive outcome that typically results in data publication.
- Akira emerged in March 2023 and quickly became one of the most active ransomware groups, targeting organisations across multiple sectors globally.
- → Akira threat actor profile — TTPs, ransom demands, and active campaigns.