// Context
About This Negotiation
This transcript documents a Babuk ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 106 messages exchanged over Unknown.
The initial ransom demand was $400,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Babuk] — — Message 1/106
Hello! Technical support is ready to answer you
[Victim] — — Message 2/106
Hello, I'm writing on behalf of [redacted]. Is this the right place to ask for information?
[Babuk] — — Message 3/106
Hello!
That's right, to start a dialogue, I ask you to answer 2 questions 1)
Are you a recovery company 2) Do you have insurance against ransomware
programs?
[Victim] — — Message 4/106
1)
I'm not part of a recovery company. We are an IT company working with
them in other fields. We just decided to give them a hand in handling
contacts with you, since they do not have the required technical
knowledge. 2) I have no information regarding that matter unfortunately,
i do not know if they have insurance or not (though I'd bet they don't)
[Babuk] — — Message 5/106
Before
we move on to discussing the price, upload 4-5 files of encrypted files
no more than 10MB using any file exchanger, we will decrypt these files
as a test
[Victim] — — Message 6/106
ok,
I'll come back as soon as I have them, just need a moment to collect
them. is something like a link shared via Google drive OK for you?
[Babuk] — — Message 7/106
Ok, write to me as you are ready to provide files
[Babuk] — — Message 8/106
Also
send us the ecdh_pub_k.bin file from those computers from which you
will download files, this ecdh_pub_k.bin will be placed in% appdata%
[Victim] — — Message 9/106
ok,
I'll be back in some minutes to tell you how much time we'll have to
wait (i can't recover the data myself unfortunately)
[Babuk] — — Message 10/106
Ok
[Babuk] — — Message 11/106
independent attempts without our help to decrypt files may lead to their loss, I would not advise you to do this
[Victim] — — Message 12/106
don't worry, we know how this type of issues work, we prevented them from attempting anything rush
[Victim] — — Message 13/106
ok,
i should be able to recover 4-5 files and the related public key in a
couple of hours. I'll text you back then. for now, thanks for the
information
[Babuk] — — Message 14/106
ok
[Victim] — — Message 15/106
You
can find a simple archive with three files and your public key at the
following link: [REDACTED URL]
[Victim] — — Message 16/106
The content is a 7z archive password-protected. The password is "[redacted]" (without quotes)
[Victim] — — Message 17/106
Be careful because I fear the link will expire after one download
[Babuk] — — Message 18/106
I downloaded your files, please wait
[Babuk] — — Message 19/106
link will be available for 1st download [REDACTED URL]
[Victim] — — Message 20/106
Downloaded, received and correctly visualized the plaintext, thanks for the proof of work
[Victim] — — Message 21/106
Can I move on to ask you about your demands?
[Babuk] — — Message 22/106
Ok, now we can continue the dialogue
[Babuk] — — Message 23/106
yes, 1 minets please
[Babuk] — — Message 24/106
We
know that [redacted] is a large company with an annual turnover of $ [more than two dozens]
million a year, a price of $ 400,000 for a complete expansion of all
systems
[Victim] — — Message 25/106
I'll
refrain from reacting to it: I'll just tell you that such an amount is
simply impossible to move for an Italian company. There is no way a
company would be able to purchase that amount of coins (bitcoins or
whatever else) in a whole year. It *might* be doable if they were like
20, 30 thousands, but more than that seems totally impossible to me.
[Victim] — — Message 26/106
Anyway, I'll relay your demands to the company, I'll forward your feedback to you as soon as they answer me
[Victim] — — Message 27/106
Anyway, I'll relay your demands to the company, I'll forward your feedback to you as soon as they answer me
[Victim] — — Message 28/106
Thanks for your cooperation, for now
[Victim] — — Message 29/106
"I'll forward THEIR feedback to you" (typo)
[Victim] — — Message 30/106
BTW,
I'll probably be back in some hours, since it's late evening in Italy
and I don't think they'll answer me now. I'll be back as soon as
possible
[Babuk] — — Message 31/106
We can make a
discount, but it must be reasonable, we will wait for comments from the
company and we are waiting for you in this cha
[Babuk] — — Message 32/106
Ok, we are in touch and ready for a dialogue, and ask them about insurance
[Victim] — — Message 33/106
Hi
we talked with the company. For them the damage is 1 month of work of 4
people and is worth 40k because have an offline backup. For you can be
ok?
[Babuk] — — Message 34/106
We understand
perfectly well that if you had backups, if you didn’t have a dialogue
with us, we can accept. from you 100 000 usd, it will be a big discount,
if you agree then we will move on to the deal, if you need time to
think it over, this is your time in any case you need the decryptor, not
me
[Victim] — — Message 35/106
they have
ready 55k usd to close the deal and for Wednesday you'll have the money
in your wallet. Can you agree with it?
[Babuk] — — Message 36/106
We understand that the company can afford to pay 100 00, we went to you for the purchase and made a big discount
[Babuk] — — Message 37/106
100 000
[Victim] — — Message 38/106
I'll talk with them
[Babuk] — — Message 39/106
Ok, also if they have insurance, this will not incur financial losses for them at all, the insurance will pay everything
[Victim] — — Message 40/106
they don't have an insurance
[Babuk] — — Message 41/106
Well then, I advise you to buy it in the future.
[Victim] — — Message 42/106
in italy with the italian law it's hard to cash out this amount. With difficulties we can arrive to 65k.
[Babuk] — — Message 43/106
We had clients from italy who could easily pay 350,000, let's stop at 85k, it will be optimal for you and us!
[Victim] — — Message 44/106
I'm talking with them. Please 5 minutes
[Babuk] — — Message 45/106
ok
[Victim] — — Message 46/106
BTW
just genuinely asking: how did they pay you such an amount? i can't
imagine a way to move 350k from Italy in few days, it's just really
difficult unless it happens via bank wire
[Babuk] — — Message 47/106
They
worked with the bank, we cannot tell you the company, for the reason:
they paid, we keep secret information about our clients who made the
transaction
[Victim] — — Message 48/106
sure,
as I said I was just asking out of curiosity. Anyway, we convinced
them to make an effort for 85k usd, since it's in the interest of their
business.
[Babuk] — — Message 49/106
Okay, do you need instructions on how to buy bitcoin? Or will you do everything yourself?
[Victim] — — Message 50/106
I'll speak with them to understand how they want buy it
[Babuk] — — Message 51/106
ok
[Victim] — — Message 52/106
can you give us your instruction to pay you?
[Babuk] — — Message 53/106
There
are bitcoin ATMs in italy, you can use it or buy bitcoins on the
exchange [REDACTED URL] or find a
private bitcoin broker in italy (this is the safest option) as soon as
you are ready to transfer I will give you a wallet
[Victim] — — Message 54/106
ok do you know i can do with an atm and where i can find it and use it to give the money
[Babuk] — — Message 55/106
[REDACTED URL]
[Victim] — — Message 56/106
ok thanks
[Victim] — — Message 57/106
we have some questions
[Victim] — — Message 58/106
1)
is it ok for you if they proceed via coin ATM? Do you know if they can
directly transfer funds to your wallet via the ATM, or do they need to
purchase coins and them separately transfer them?
[Victim] — — Message 59/106
2)
once the decryption process begins, they obviously need some form of
warranty that everything is working. As for what we could see, your
software encrypted files, destroyed filesystem shadow copies and
compromised backups. What kind of technical warranty can you provide
that everything will work smoothly even for big files (full VM disks)
and LAN backup?
[Victim] — — Message 60/106
and
3) given that we have an agreement, could you delete the post you
published [redacted]? this would prevent the company from having to
move on with legal procedures, which they are legally compelled to
follow if they have notice of a data breach. if you delete that post,
there will no longer be any evidence, and they will be able to avoid
this.
[Babuk] — — Message 61/106
1) For ATM, you'd
better top up your wallet and then send us 2) File size doesn't matter,
we made all required tests before encrypt your network
[Babuk] — — Message 62/106
3) post will be removed today
[Babuk] — — Message 63/106
The decryptor works the same as the encryptor only in the other direction
[Victim] — — Message 64/106
ok thanks, we'll start with the work
[Babuk] — — Message 65/106
During
the day, the moderator of [redacted] will delete the topic, I wrote
him a private message and also wrote in the topic, you can check it
[Victim] — — Message 66/106
thank you, we will get back to you soon
[Babuk] — — Message 67/106
ok
[Victim] — — Message 68/106
ok thanks
[Babuk] — — Message 69/106
threads [redacted] -deleted, please cheked
[Victim] — — Message 70/106
Cheked, thanks! we are buying the btc. I'll ping you asap
[Victim] — — Message 71/106
hi
[Babuk] — — Message 72/106
Hello, when you will have required amount of bitcoin's write here
[Victim] — — Message 73/106
yes
[Babuk] — — Message 74/106
You ready to pay?
[Victim] — — Message 75/106
not yet, we are buying
[Babuk] — — Message 76/106
Okay, what date should I expect to be paid?
[Victim] — — Message 77/106
Wednesday please
[Babuk] — — Message 78/106
Okey
[Babuk] — — Message 79/106
Any dialogues with us only in this chat, any other email and etc contacts are invalid
[Victim] — — Message 80/106
Hi, sure!
[Victim] — — Message 81/106
Hi, sure!
[Victim] — — Message 82/106
hello
[Babuk] — — Message 83/106
Hello, how your progress?
[Victim] — — Message 84/106
We will have a call at 2 pm to understand the progress
[Victim] — — Message 85/106
i'll update you
[Babuk] — — Message 86/106
okey
[Victim] — — Message 87/106
sorry only a question
[Victim] — — Message 88/106
we can decrypt file by file too?
[Victim] — — Message 89/106
with your tool?
[Babuk] — — Message 90/106
our tool decrypt full pc
[Babuk] — — Message 91/106
Unlocker decrypt full network
[Victim] — — Message 92/106
FYi we did a revolut account and tomorrow we will have the btc
[Victim] — — Message 93/106
so in the afternoom we can do it
[Babuk] — — Message 94/106
Well,
as soon as you are ready to transfer money, write to us, you will give
you a new link to the chat, where we will conduct the transaction, it
will be better for your safety and anonymity
[Victim] — — Message 95/106
ok thanks
[Victim] — — Message 96/106
sorry
do you have an account revolut? because who bought the btc didn't know
that you can not move it to an external wallet ( out the revolut
platform )
[Babuk] — — Message 97/106
No, but I do
not think that you will have any problems with the transfer, you should
be able to transfer to any bitcoin wallet
[Victim] — — Message 98/106
i check now, because maybe with revolut you can send only to an revolut account
[Babuk] — — Message 99/106
You will need to somehow solve this problem, and be able to transfer to any bitcoin wallet
[Victim] — — Message 100/106
yes we do
[Babuk] — — Message 101/106
admin:[REDACTED URL]
[Victim] — — Message 102/106
yes we saw, we are finding a solution
[Victim] — — Message 103/106
please send us another link by mail
[Victim] — — Message 104/106
to chat
[Babuk] — — Message 105/106
Please
give your email address in the company's domain @ [redacted].com there we
will send a new link to the chat, you will need to restart your browser
and follow the link
[Babuk] — — Message 106/106
so we can verify that you are indeed on behalf of [redacted] and the correspondence is confidential