// Context
About This Negotiation
This transcript documents a Avos ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 86 messages exchanged over Unknown.
The initial demand is not clearly stated in the transcript. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Avos] — — Message 1/86
As you are an enterprise client of ours, we will provide you with customer support throughout the process. You may use this chat to get in contact with us.
[Victim] — Fri, 03 Sep 2021 00:30:38 GMT — Message 2/86
hello! you encrypted our files. I do not have any image files that are encrypted how can I upload a different file type? can you also tell me what files you take? can I see some samples and a list?
[Avos] — Fri, 03 Sep 2021 00:31:11 GMT — Message 3/86
I'll ask all that to the affiliate in question.
[Avos] — Fri, 03 Sep 2021 00:32:38 GMT — Message 4/86
Are we still connected?
[Victim] — Fri, 03 Sep 2021 00:33:06 GMT — Message 5/86
can you increase our clock? as long as we are discussing. The clock will run out on the weekend and even if we agree, we cannot do anything on weekend because all bank are closed. this is a long weekend labor day in both usa and canada so no banks until tuesday next week. appreciate you working with us to reach agreement.
[Victim] — Fri, 03 Sep 2021 00:33:21 GMT — Message 6/86
the site seems to disconnect me
[Avos] — Fri, 03 Sep 2021 00:34:25 GMT — Message 7/86
Disconnect you how?
Yeah, I'll set your deadline on Friday next week.
[Victim] — Fri, 03 Sep 2021 00:34:51 GMT — Message 8/86
I tried to enter another message and it did not work I had to reload the whole page
[Avos] — Fri, 03 Sep 2021 00:36:06 GMT — Message 9/86
Just give it a couple seconds, the website can be slow at times
[Avos] — Fri, 03 Sep 2021 00:37:02 GMT — Message 10/86
I can't reach the affiliate responsible for the attack at the moment. I did tell him to provide you with a sample or list of the files exfiltrated. They'll reply here when they're back.
[Victim] — Fri, 03 Sep 2021 00:37:52 GMT — Message 11/86
ok friend I will come back tomorrow very late here too
[Victim] — Fri, 03 Sep 2021 00:38:15 GMT — Message 12/86
please update the time because no way we can hit the deadline thank you
[Avos] — Fri, 03 Sep 2021 00:38:15 GMT — Message 13/86
Sure, good night.
[Avos] — Fri, 03 Sep 2021 00:38:39 GMT — Message 14/86
Yeah don't worry about that, your new deadline's set at Friday next week
[Victim] — Fri, 03 Sep 2021 00:39:08 GMT — Message 15/86
appreciated. I will remain connected but may not reply.
[Avos] — Fri, 03 Sep 2021 12:45:37 GMT — Message 16/86
I can't contact the affiliate in question. They seem to be unavailable at the time. I won't be able to provide you information on the data taken.
I, however, can provide you the decryption keys if you do pay for it.
[Victim] — Fri, 03 Sep 2021 15:16:40 GMT — Message 17/86
Hi I tried to upload an image and I am not seeing success in decryption.
[Victim] — Fri, 03 Sep 2021 15:17:26 GMT — Message 18/86
I cannot find image and less than 1mb to test decrypt. what to do?
[Avos] — Fri, 03 Sep 2021 15:17:40 GMT — Message 19/86
Are the extensions appended to the encrypted files ".avos2"?
[Victim] — Fri, 03 Sep 2021 15:18:03 GMT — Message 20/86
yes
[Victim] — Fri, 03 Sep 2021 15:18:14 GMT — Message 21/86
actually the file is only 111kb
[Victim] — Fri, 03 Sep 2021 15:18:39 GMT — Message 22/86
is there email I can send it to?
[Avos] — Fri, 03 Sep 2021 15:18:49 GMT — Message 23/86
Avos2 came out recently and we can't provide test decryptions on our website for it at the moment.
[Victim] — Fri, 03 Sep 2021 15:19:32 GMT — Message 24/86
ok so what do we do here? you cannot contact affiliate, you cannot decrypt the files. What are we doing?
[Avos] — Fri, 03 Sep 2021 15:19:37 GMT — Message 25/86
You can create an archive with couple files and upload them to [REDACTED URL]
[Victim] — Fri, 03 Sep 2021 15:20:47 GMT — Message 26/86
ok please wait
[Avos] — Fri, 03 Sep 2021 15:20:52 GMT — Message 27/86
Then I can manually decrypt the files for you.
We can decrypt .avos2, however the website can't at the moment.
[Avos] — Fri, 03 Sep 2021 15:21:57 GMT — Message 28/86
This is because both the encryption/decryption are first built and tested in Windows, THEN this encryption algorithm is ported to our web services.
[Victim] — Fri, 03 Sep 2021 15:23:20 GMT — Message 29/86
[REDACTED URL]
[Victim] — Fri, 03 Sep 2021 15:23:38 GMT — Message 30/86
can you confirm it works?
[Avos] — Fri, 03 Sep 2021 15:24:05 GMT — Message 31/86
You are supposed to copy the URL in your browser instead of copying the link from the download button.
[Avos] — Fri, 03 Sep 2021 15:37:01 GMT — Message 32/86
Hello? The link doesn't work
[Victim] — Sat, 04 Sep 2021 00:36:24 GMT — Message 33/86
ok
[Victim] — Sat, 04 Sep 2021 00:36:39 GMT — Message 34/86
did you find the affiliate?
[Victim] — Sat, 04 Sep 2021 00:37:20 GMT — Message 35/86
[REDACTED URL]
[Avos] — Sat, 04 Sep 2021 09:53:46 GMT — Message 36/86
Your link doesn't work, again.
[Avos] — Sat, 04 Sep 2021 09:54:08 GMT — Message 37/86
Please test and verify that it works BEFORE sending it to me.
[Avos] — Sat, 04 Sep 2021 09:54:28 GMT — Message 38/86
[REDACTED URL]
[Victim] — Sat, 04 Sep 2021 18:01:11 GMT — Message 39/86
[REDACTED URL]
[Avos] — Sat, 04 Sep 2021 18:09:27 GMT — Message 40/86
Please upload it to one of the websites I've told you to. We can't download from Gofile.
[Victim] — Sun, 05 Sep 2021 16:58:31 GMT — Message 41/86
[REDACTED URL]
[Avos] — Mon, 06 Sep 2021 14:15:08 GMT — Message 42/86
We've downloaded the data. Please allow us some time to process it
[Avos] — Mon, 06 Sep 2021 14:30:44 GMT — Message 43/86
I decrypted the PNG files. [REDACTED URL]
[Avos] — Tue, 07 Sep 2021 08:44:55 GMT — Message 44/86
Hello. We think it's time to finalize your negotiations. Please let us know how do you wish to proceed with payment.
[Victim] — Tue, 07 Sep 2021 13:02:11 GMT — Message 45/86
I would like to see what files you took
[Avos] — Tue, 07 Sep 2021 13:25:04 GMT — Message 46/86
You can see the files in few days if we have to publish samples on the blog. We will not provide anything else at this stage.
[Victim] — Tue, 07 Sep 2021 13:30:37 GMT — Message 47/86
well, if you prefer to simply be aggressive we would never be able to reach a level of trust. You are asking for a lot of money, we need to assess what data you took. Show me some list or indication that I can take to management. goodwill will go a long way.
[Victim] — Tue, 07 Sep 2021 13:31:16 GMT — Message 48/86
if you publish we will disconnect and put the money to protect any individuals with credit monitoring. I think working together is preferred.
[Avos] — Tue, 07 Sep 2021 13:32:08 GMT — Message 49/86
As staff, we can guarantee that whatever data the affiliate has taken will be erased, and the decryption keys will be delivered.
[Avos] — Tue, 07 Sep 2021 13:33:19 GMT — Message 50/86
Your new deadline, that we both agreed on, was set on the 10th, Friday. I'll leave the rest to the affiliate.
[Victim] — Tue, 07 Sep 2021 13:35:06 GMT — Message 51/86
thank you Staff. But I am just the messenger. My management and board require to understand the extent of the data that was taken has this may have value that we would want to pay for you if you promise it will be erased. But we would like to get a sense of what data that is, a list would be great.
[Avos] — Tue, 07 Sep 2021 13:36:12 GMT — Message 52/86
Those are our terms and we never go against them. You know better than us what data we took. We took it from the servers we encrypted. Anyways, we are away with no access to data storage, so another scenario is not possible. Staff can help to decrypt if you reach an agreement. Data will be erased when we come back.
[Avos] — Tue, 07 Sep 2021 13:38:10 GMT — Message 53/86
I can confirm the data in question wasn't downloaded to our storage units but the affiliate's.
[Victim] — Tue, 07 Sep 2021 13:42:12 GMT — Message 54/86
It does not give me a good sense of comfort and I need to convey the status to my management. I cannot understand what data was taken nor where it is located. If the affiliate is the only one with the data and he does not want to prove he has data, how can we possibly establish trust when you attacked us and you refuse to work with me to demonstrate your word is trustworthy. instead not only you attack but you also just threaten. It is not a good way to establish our relationship.
[Avos] — Tue, 07 Sep 2021 13:44:54 GMT — Message 55/86
For now I'd suggest that perhaps your management should appraise the value of the decryption itself.
[Victim] — Wed, 08 Sep 2021 02:19:31 GMT — Message 56/86
I understand. I have met with management and we are in position to offer 50k for the decryption of the files left to decrypt. We also have an issue paying in XMR as no broker I spoke to is willing to pay XMR, the best we can do is bitcoin and would need wallet.
[Avos] — Wed, 08 Sep 2021 10:48:51 GMT — Message 57/86
Considering the affiliate wasn't able to provide a sample/list, I think we can settle at 150K in Bitcoin.
[Victim] — Wed, 08 Sep 2021 12:27:44 GMT — Message 58/86
Hello Staff you seem like a reasonable team. We would like to come to terms, but we are small paint distributor 150k is more than our available cash. We can increase to 75K in btc by using some credit cards.
[Avos] — Wed, 08 Sep 2021 12:28:42 GMT — Message 59/86
What about 100K?
[Victim] — Wed, 08 Sep 2021 12:39:33 GMT — Message 60/86
one sec let me check something with accounting
[Victim] — Wed, 08 Sep 2021 12:52:30 GMT — Message 61/86
I have a credit line I can increase to 85k unfortunately I cannot go any higher I am tapped on credit card and credit line at 85k
[Avos] — Wed, 08 Sep 2021 12:53:21 GMT — Message 62/86
Alright that's fair I suppose. Let us know when you have the money in BTC.
[Victim] — Wed, 08 Sep 2021 12:55:40 GMT — Message 63/86
I am working through a broker he said as soon as I transfer the money he can buy and send but he needs to know the address or wallet to send to?
[Avos] — Wed, 08 Sep 2021 13:00:37 GMT — Message 64/86
I'll send that to you in a bit
[Avos] — Wed, 08 Sep 2021 13:01:40 GMT — Message 65/86
[redacted]
[Avos] — Wed, 08 Sep 2021 13:02:19 GMT — Message 66/86
Do tell your guy to make a test transfer of 10$ and get a confirmation from me before he sends the full 85K
[Victim] — Wed, 08 Sep 2021 19:53:25 GMT — Message 67/86
OK, I will tell broker that. good idea
[Victim] — Thu, 09 Sep 2021 03:19:13 GMT — Message 68/86
Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time
[Victim] — Thu, 09 Sep 2021 03:23:27 GMT — Message 69/86
The broker also advise us to confirm all deal terms with you.
After we pay, please confirm you will:
(1.) immediately provide working decryptor software for all our systems,
(2.) provide detailed decryption process instructions and tech support if we have problems,
(3.) provide detailed proof of our downloaded data - detailed file tree(s) of all data,
(4.) provide confirmation of deletion of all our data - non-recoverable secure deletion with proof / shred log,
(5.) confirm you will never publish any of our data, or our company name,
(6.) agree to never attack us again,
(7.) explain how you got into our network, and
(8.) provide a security report so we can prevent future problems
Please confirm everything, all 8 items, thank you.
[Avos] — Thu, 09 Sep 2021 09:28:55 GMT — Message 70/86
I can confirm all but the 3rd, as we don't have access to your data. However I can guarantee an erasure of your data.
[Victim] — Thu, 09 Sep 2021 13:22:07 GMT — Message 71/86
Hello Staff, OK, thank you
[Victim] — Thu, 09 Sep 2021 13:22:25 GMT — Message 72/86
our broker just sent the test $10, please confirm you received it.
[Avos] — Thu, 09 Sep 2021 13:23:41 GMT — Message 73/86
Confirmed. You may continue with the transfer
[Victim] — Thu, 09 Sep 2021 13:36:42 GMT — Message 74/86
Ihe broker said they sent the rest. Can you please confirm and provide the decryptor as soon as possible, thank you.
[Avos] — Thu, 09 Sep 2021 13:41:32 GMT — Message 75/86
As soon as it confirms.
[Victim] — Thu, 09 Sep 2021 13:43:29 GMT — Message 76/86
what does that mean?
[Avos] — Thu, 09 Sep 2021 13:44:04 GMT — Message 77/86
Bitcoin takes some time to receive basically
[Victim] — Thu, 09 Sep 2021 13:45:07 GMT — Message 78/86
ah, ok, its a bitcoin thing. Let me know when its confirmed, thanks
[Avos] — Thu, 09 Sep 2021 14:54:53 GMT — Message 79/86
The payment confirmed. Thank you for your business. The affiliate should provide the security report.
[Avos] — Thu, 09 Sep 2021 15:04:38 GMT — Message 80/86
Defend your credentials from mimikatz Limit administrator privileges to the smallest group possible. Even if you have thousands of user accounts, you should probably only have 2-5 administrator accounts. Start with two accounts and force users to justify any additional accounts added to the administrator group. The next thing that you should do is upgrade the schema and functional level of your forest and domain to at least 2012 R2. This domain functional level adds a fairly new group called “Protected Users”. Along with other protections, the members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. These changes provide powerful protections that make Mimikatz almost worthless. Verify KB2871997 has been installed to apply additional required security. After you install this security update, the default setting for non-protected users on Windows 7 and Windows 8 is to not force clear leaked logon session credentials.
[Avos] — Thu, 09 Sep 2021 15:05:24 GMT — Message 81/86
To override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it to a recommended value of 30 seconds. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Stop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of the default value of “1” and passwords are no longer available to Mimikatz . HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz installation and activity. You’ll have to test these changes to see what breaks, but the idea is to implement some fairly basic changes to protect your network. In your specific case the critical vulnerabiliry contained Forti VPN, please update FortiVpn and monitor for updates and Windows updates. Inform your IT stuff to remove the posibility of storing user passwords within the network.
[Avos] — Thu, 09 Sep 2021 15:05:52 GMT — Message 82/86
Also we recommend you to use SentinelAV and dattoo backup system. Also Veeam Tapes is good ,but pc with veeam should be in WORKGROUP and user should be different from main domain. Every PC should have AV. Don't let any pc without AV. Also try configure 2FA (at all network pc) when you connect to remote desktop. Use password on AV. Also tip for you: If you want chage Fortigate VPN to other . We dont reccomend you to use Sonic VPN,Pulse Secure, because its under massive hack
[Avos] — Thu, 09 Sep 2021 15:06:17 GMT — Message 83/86
And finally, update your Exchange Server, since it was the main entry point.
[Avos] — Thu, 09 Sep 2021 15:06:45 GMT — Message 84/86
As for data, we instructed an erasure and it was confirmed all your data is erased. So you are safe. Thank you for your business.
[Victim] — Thu, 09 Sep 2021 15:54:18 GMT — Message 85/86
OK, thank you for all of these items and confirming deletion. I gave the decryptor package to our IT and I will reach out if we have any technical issues. Thank you.
[Avos] — Thu, 09 Sep 2021 17:56:32 GMT — Message 86/86
It'd be better for your IT to reach out directly if possible if anything's to occur