// Ransomware Negotiation Transcript
Avos Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Avos ransomware negotiation with a redacted victim organisation. The negotiation consisted of 86 messages exchanged.
The initial demand is not clearly stated in the transcript. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
As you are an enterprise client of ours, we will provide you with customer support throughout the process. You may use this chat to get in contact with us.
hello! you encrypted our files. I do not have any image files that are encrypted how can I upload a different file type? can you also tell me what files you take? can I see some samples and a list?
I'll ask all that to the affiliate in question.
Are we still connected?
can you increase our clock? as long as we are discussing. The clock will run out on the weekend and even if we agree, we cannot do anything on weekend because all bank are closed. this is a long weekend labor day in both usa and canada so no banks until tuesday next week. appreciate you working with us to reach agreement.
the site seems to disconnect me
Disconnect you how?
Yeah, I'll set your deadline on Friday next week.
I tried to enter another message and it did not work I had to reload the whole page
Just give it a couple seconds, the website can be slow at times
I can't reach the affiliate responsible for the attack at the moment. I did tell him to provide you with a sample or list of the files exfiltrated. They'll reply here when they're back.
ok friend I will come back tomorrow very late here too
please update the time because no way we can hit the deadline thank you
Sure, good night.
Yeah don't worry about that, your new deadline's set at Friday next week
appreciated. I will remain connected but may not reply.
I can't contact the affiliate in question. They seem to be unavailable at the time. I won't be able to provide you information on the data taken.
I, however, can provide you the decryption keys if you do pay for it.
Hi I tried to upload an image and I am not seeing success in decryption.
I cannot find image and less than 1mb to test decrypt. what to do?
Are the extensions appended to the encrypted files ".avos2"?
yes
actually the file is only 111kb
is there email I can send it to?
Avos2 came out recently and we can't provide test decryptions on our website for it at the moment.
ok so what do we do here? you cannot contact affiliate, you cannot decrypt the files. What are we doing?
You can create an archive with couple files and upload them to [REDACTED URL]
ok please wait
Then I can manually decrypt the files for you.
We can decrypt .avos2, however the website can't at the moment.
This is because both the encryption/decryption are first built and tested in Windows, THEN this encryption algorithm is ported to our web services.
[REDACTED URL]
can you confirm it works?
You are supposed to copy the URL in your browser instead of copying the link from the download button.
Hello? The link doesn't work
ok
did you find the affiliate?
[REDACTED URL]
Your link doesn't work, again.
Please test and verify that it works BEFORE sending it to me.
[REDACTED URL]
[REDACTED URL]
Please upload it to one of the websites I've told you to. We can't download from Gofile.
[REDACTED URL]
We've downloaded the data. Please allow us some time to process it
I decrypted the PNG files. [REDACTED URL]
Hello. We think it's time to finalize your negotiations. Please let us know how do you wish to proceed with payment.
I would like to see what files you took
You can see the files in few days if we have to publish samples on the blog. We will not provide anything else at this stage.
well, if you prefer to simply be aggressive we would never be able to reach a level of trust. You are asking for a lot of money, we need to assess what data you took. Show me some list or indication that I can take to management. goodwill will go a long way.
if you publish we will disconnect and put the money to protect any individuals with credit monitoring. I think working together is preferred.
As staff, we can guarantee that whatever data the affiliate has taken will be erased, and the decryption keys will be delivered.
Your new deadline, that we both agreed on, was set on the 10th, Friday. I'll leave the rest to the affiliate.
thank you Staff. But I am just the messenger. My management and board require to understand the extent of the data that was taken has this may have value that we would want to pay for you if you promise it will be erased. But we would like to get a sense of what data that is, a list would be great.
Those are our terms and we never go against them. You know better than us what data we took. We took it from the servers we encrypted. Anyways, we are away with no access to data storage, so another scenario is not possible. Staff can help to decrypt if you reach an agreement. Data will be erased when we come back.
I can confirm the data in question wasn't downloaded to our storage units but the affiliate's.
It does not give me a good sense of comfort and I need to convey the status to my management. I cannot understand what data was taken nor where it is located. If the affiliate is the only one with the data and he does not want to prove he has data, how can we possibly establish trust when you attacked us and you refuse to work with me to demonstrate your word is trustworthy. instead not only you attack but you also just threaten. It is not a good way to establish our relationship.
For now I'd suggest that perhaps your management should appraise the value of the decryption itself.
I understand. I have met with management and we are in position to offer 50k for the decryption of the files left to decrypt. We also have an issue paying in XMR as no broker I spoke to is willing to pay XMR, the best we can do is bitcoin and would need wallet.
Considering the affiliate wasn't able to provide a sample/list, I think we can settle at 150K in Bitcoin.
Hello Staff you seem like a reasonable team. We would like to come to terms, but we are small paint distributor 150k is more than our available cash. We can increase to 75K in btc by using some credit cards.
What about 100K?
one sec let me check something with accounting
I have a credit line I can increase to 85k unfortunately I cannot go any higher I am tapped on credit card and credit line at 85k
Alright that's fair I suppose. Let us know when you have the money in BTC.
I am working through a broker he said as soon as I transfer the money he can buy and send but he needs to know the address or wallet to send to?
I'll send that to you in a bit
[redacted]
Do tell your guy to make a test transfer of 10$ and get a confirmation from me before he sends the full 85K
OK, I will tell broker that. good idea
Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time
The broker also advise us to confirm all deal terms with you.
After we pay, please confirm you will:
(1.) immediately provide working decryptor software for all our systems,
(2.) provide detailed decryption process instructions and tech support if we have problems,
(3.) provide detailed proof of our downloaded data - detailed file tree(s) of all data,
(4.) provide confirmation of deletion of all our data - non-recoverable secure deletion with proof / shred log,
(5.) confirm you will never publish any of our data, or our company name,
(6.) agree to never attack us again,
(7.) explain how you got into our network, and
(8.) provide a security report so we can prevent future problems
Please confirm everything, all 8 items, thank you.
I can confirm all but the 3rd, as we don't have access to your data. However I can guarantee an erasure of your data.
Hello Staff, OK, thank you
our broker just sent the test $10, please confirm you received it.
Confirmed. You may continue with the transfer
Ihe broker said they sent the rest. Can you please confirm and provide the decryptor as soon as possible, thank you.
As soon as it confirms.
what does that mean?
Bitcoin takes some time to receive basically
ah, ok, its a bitcoin thing. Let me know when its confirmed, thanks
The payment confirmed. Thank you for your business. The affiliate should provide the security report.
Defend your credentials from mimikatz Limit administrator privileges to the smallest group possible. Even if you have thousands of user accounts, you should probably only have 2-5 administrator accounts. Start with two accounts and force users to justify any additional accounts added to the administrator group. The next thing that you should do is upgrade the schema and functional level of your forest and domain to at least 2012 R2. This domain functional level adds a fairly new group called “Protected Users”. Along with other protections, the members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. These changes provide powerful protections that make Mimikatz almost worthless. Verify KB2871997 has been installed to apply additional required security. After you install this security update, the default setting for non-protected users on Windows 7 and Windows 8 is to not force clear leaked logon session credentials.
To override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it to a recommended value of 30 seconds. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Stop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of the default value of “1” and passwords are no longer available to Mimikatz . HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz installation and activity. You’ll have to test these changes to see what breaks, but the idea is to implement some fairly basic changes to protect your network. In your specific case the critical vulnerabiliry contained Forti VPN, please update FortiVpn and monitor for updates and Windows updates. Inform your IT stuff to remove the posibility of storing user passwords within the network.
Also we recommend you to use SentinelAV and dattoo backup system. Also Veeam Tapes is good ,but pc with veeam should be in WORKGROUP and user should be different from main domain. Every PC should have AV. Don't let any pc without AV. Also try configure 2FA (at all network pc) when you connect to remote desktop. Use password on AV. Also tip for you: If you want chage Fortigate VPN to other . We dont reccomend you to use Sonic VPN,Pulse Secure, because its under massive hack
And finally, update your Exchange Server, since it was the main entry point.
As for data, we instructed an erasure and it was confirmed all your data is erased. So you are safe. Thank you for your business.
OK, thank you for all of these items and confirming deletion. I gave the decryptor package to our IT and I will reach out if we have any technical issues. Thank you.
It'd be better for your IT to reach out directly if possible if anything's to occur
// Analysis
Analyst Observations
- This transcript ends with a confirmed payment, though the final amount may not be explicitly stated in the chat.