// Ransomware Negotiation Transcript
Akira Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 43 messages exchanged.
The initial ransom demand was $350,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
> hi
> hi
> hi
> anybody out there?
> hello?
> Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
> nobody seems to be there, we will come back later
> Do you see our messages?
> hi there, got another tor browser, now I see your messages
> yes, I have a permission to negotiate on behalf of my organization
> Please wait for details.
> hello?
> I can't see any message after your "Do you see our messages?"
> I will come back to check new messages
> hello?
> Can you see my message?
> yes
> now I see "Can you see my message?", but I had to log out and log in again
> it seems that I don't get an update in the chat directly
> we will come back later as "please wait" seems to be a bit longer
> List.rar // 2.48 MB
> These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
> I got the list and will check which files we want to see as prove of possession
> Standing by.
> we would like to see the following 3 files:
> D:\[redacted].log
> D:\[redacted].refs
> D:\[redacted].png
> Please wait.
> Take your time, I will come back on monday
> hi there, back again and ready to receive your files
> The files will be uploaded shortly.
> files.rar // 19.6 KB
> Please review. Give me encrypted files asap, if you want to test our decryption tool.
> got your files and check them, will come back with encrypted files asap
> We are standing by to the files.
> [redacted].akira // 21.6 KB
> uploaded the one file to test the decryption tool
> [redacted] // 21.1 KB
> ok, matches, so: what next?
> So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $350,000 price for ALL the services we offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
> We decline and will not pay anything. This conversion is over.
> OK. Thank you for the information.
// Analysis
Analyst Observations
- The final settlement represented a 0% reduction from the initial demand — a moderate reduction.
- Akira emerged in March 2023 and quickly became one of the most active ransomware groups, targeting organisations across multiple sectors globally.
- → Akira threat actor profile — TTPs, ransom demands, and active campaigns.