// Ransomware Negotiation Transcript
Akira Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Akira ransomware negotiation with a redacted victim organisation. The negotiation consisted of 70 messages exchanged.
The initial ransom demand was $550,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
> Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get your reply you will be provided with all the details.
> yes
> how do i fix my computer?
> Hello please wait
> hello?
> is anyone there?
> I guess I'll just shut down and reformat since you are not answering
> Wait a second.
> List.7z // 1010 KB
> These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10 MB each from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
> hello
> hi
> I need help my files are locked!
> please help me I need my files
> I needz my filez bro
> yo i need my files back
> 10/07/2020 11:10 AM 75,909 [redacted].pdf 10/07/2020 11:10 AM 20,991 [redacted].pdf
> how much money do you need
> whats your demand
> i am willing to pay
> YEAH BOIII
> I gots work due for muh classes bro, hurry up
> DO YOU ACEPT WACKY BUCKS?
> Cashapp right now bro
> my grandma moves faster than you and she's dead
> what country are you in?
> What is your Political Affiliation?
> Wait a bit.
> YOUR COUNTRY SUCKS!!!!!!
> best i can do is 2 v-bucks
> I got some Chuck E Cheese tokens if that tickles your fancy
> I cant wait any longer i am watching paint dry
> okay fine...3 v-bucks take it or leave it
> you want some robucks? pls
> I got a $19 Fornite Card, Who wants it?
> chat are we cooked?
> [redacted].exe // 1.04 MB
> my local target wont let me buy any more gift cards, how should i pay you?
> money.jpg // 33.8 KB
> go ahead open it
> hello from the other side
> WEE WOOO WEE WOO
> You're probably wondering how this is happening XD
> i'm connected to your office cameras
> i have noth korean paypal how can i pay u
> R.gif // 1.71 MB
> Ill give you to the count of five to respond
> are we doing a deal or what?
> I guess i will reflash my computer. You guys are a joke lol. I need to do it the hard way smh
> shut-up-take-my-money.gif // 1.05 MB
> do you accept tiktok coins ?
> whats your OF?
> HONSE.jpg // 24.3 KB
> is your leadership aware of the incident?
> Duh?
> We're willing to set a $550,000 price for ALL the services we offer. Let us know asap.
> Hello
> Someone uploaded this locker to an online database of malware
> You need to give the corp a new password
> Are you official negotiator of Akira or just affiliate?
> Provide the link to that database and we will provide a new chat.
> Anyways, If you have direct access to Akira leadership, add me on Tox. I may have some accesses in the future that I want to send to you, depending on the group affiliate rates. ID: [redacted]
> [REDACTED URL]
> This is the link to the database - but i'm not the corp. I am an affiliate of another group.
> If you are the official negotiator or owner of Akira, could you add my tox specified above? I would like to have contact with you in case I have an access that i want to give.
> Thank you for this information. We will contact you if necessary.
> Hello
> Hello
> I have a USA access that im exfiltrating data from now, it is $400m yearly revenue as shown on zoominfo, although other sources like wikipedia say it has a yearly revenue of $900m USD. I was wondering if you are interested in me using your service to lock the corp. Let me know if you are open to discussion.
> We are not interested. Thank you.
// Analysis
Analyst Observations
- Akira emerged in March 2023 and quickly became one of the most active ransomware groups, targeting organisations across multiple sectors globally.
- → Akira threat actor profile — TTPs, ransom demands, and active campaigns.