// Context
About This Negotiation
This transcript documents a BlackBasta ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 57 messages exchanged over Unknown.
The initial ransom demand was $400,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 17:14 — Message 1/57
Hello, we were told to come here
[BlackBasta] — 07:51 — Message 2/57
Hello. Who are you in this company? What is your position?
[Victim] — 12:25 — Message 3/57
Im an admin. I was assigned to communicate with you.
[BlackBasta] — 13:38 — Message 4/57
Do you need a private chat?
[Victim] — 15:51 — Message 5/57
This is a private chat. Only I have access to this
[BlackBasta] — 15:54 — Message 6/57
We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 110GB of a sensitive information and data from your network.
Check your page in our blog. Right now we're keeping it secret. However, if we don't come to an agreement within 10 days, it'll be posted on our news board.
We will let everyone who wants to connect to your network and get all the necessary data from your.
Decryption price is $400,000. In case of successful negotiations we guarantee you will get:
1) Decryptor for all your Windows machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.
Hope you can correctly assess the risks for your company.
You can find more information about Black Basta Group in Google.
[Victim] — 18:36 — Message 7/57
Thank you for this information. I will be in touch
[BlackBasta] — 19:17 — Message 8/57
okay
[Victim] — 14:58 — Message 9/57
you have 110GB of our data? what data is it?
[BlackBasta] — 15:49 — Message 10/57
Wait please, we'll send you the list of your taken data.
[BlackBasta] — 16:01 — Message 11/57
Download file: [redacted].rar
[BlackBasta] — 16:02 — Message 12/57
You can choose any 5 file names from this list and we will send them to you, like a proof.
[Victim] — 14:04 — Message 13/57
ok thank you we will take a look
[BlackBasta] — 14:05 — Message 14/57
okay
[Victim] — 15:00 — Message 15/57
does this list represent all of the data you took?
[BlackBasta] — 15:08 — Message 16/57
Yes, this is full list.
[Victim] — 14:14 — Message 17/57
Here are the files that leadership has requested: Paperless\EMAILS 2020-2022\Congratulations [redacted].msg
Vol4\CL\[redacted]Files\[redacted] - Notice of Substitution.docx
Vol4\CL\[redacted]\[redacted] Plaintiff Expert Materials\[redacted]\Floormat recall.pdf
Vol4\CL\7777\031\[redacted]\[redacted]\footballpressboxlist.pdf
Vol4\USER\[redacted]\XMAS\Christmas 2004\Holiday Name Tags Template2.doc
[BlackBasta] — 14:15 — Message 18/57
Wait please.
[BlackBasta] — 14:27 — Message 19/57
Download file: [redacted].rar
[BlackBasta] — 14:27 — Message 20/57
These are requested files.
[Victim] — 13:41 — Message 21/57
Ok. We are having internet issues. Everyone is working from different locations. I will give these to leadership to review. No one will be back until Monday. I will write you then
[BlackBasta] — 13:43 — Message 22/57
Understood. Wait you on Monday.
[Victim] — 13:18 — Message 23/57
How do we know that your decryptor will work for our systems?
[BlackBasta] — 14:14 — Message 24/57
You can send some encrypted files, we decrypt them and send back to you. But these files must be unimportant.
[Victim] — 16:37 — Message 25/57
Ok, I will have leadership choose some files.
[BlackBasta] — 16:53 — Message 26/57
okay
[Victim] — 14:17 — Message 27/57
Download file: [redacted].jpg
[Victim] — 14:17 — Message 28/57
Download file: [redacted].doc
[Victim] — 14:18 — Message 29/57
Here are two files that leadership chose.
[BlackBasta] — 14:21 — Message 30/57
Wait please.
[BlackBasta] — 14:31 — Message 31/57
Download file: [redacted].jpg
[BlackBasta] — 14:31 — Message 32/57
Download file: [redacted].doc
[Victim] — 14:55 — Message 33/57
Ok, I will show these to leadership and will be back in touch with you
[BlackBasta] — 14:56 — Message 34/57
We'll in touch.
[Victim] — 13:46 — Message 35/57
My leadership has a meeting scheduled with the board on Monday afternoon. Before that meeting, is there any cost breaks that you could provide us? This event has had a significant impact on our company.
[BlackBasta] — 15:09 — Message 36/57
10% discount for you and we close the deal.
[Victim] — 13:53 — Message 37/57
Ok, I will provide this to my leaders and I will be back in touch on Monday afternoon.
[BlackBasta] — 15:39 — Message 38/57
Okay, we'll be in touch.
[Victim] — 20:33 — Message 39/57
Our leadership wants this to come to an end for both of us so we can get back to normality. They would like to offer $39,250 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please accept this offer so we can move on.
[BlackBasta] — 20:36 — Message 40/57
Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.
[BlackBasta] — 16:36 — Message 41/57
We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.
[Victim] — 17:18 — Message 42/57
What is meager to you, is not to us. Since this event we are struggling to get operational and have experienced tremendous losses. Leadership is prepared to offer $44,990 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please consider this offer as we are trying to get our business back operational.
[BlackBasta] — 17:43 — Message 43/57
We are ready to help restore all your systems and files to their original state very quickly, but the minimum amount we can accept is $150k. Less payment is not possible. Therefore, tell your manager if he wants to make a deal, then he look for this amount. If not, then further negotiations are pointless.
[Victim] — 13:27 — Message 44/57
Leadership is prepared to accept your offer of $150,000 with all fees included. This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again. Please send us your bitcoin wallet ID so we can proceed with payment.
[BlackBasta] — 14:06 — Message 45/57
Okay. We confirm all points. Our BTC wallet is [redacted]
[Victim] — 18:49 — Message 46/57
Ok. This may take some time, but please confirm when you receive payment. I will write you when it is sent.
[BlackBasta] — 19:04 — Message 47/57
Okay.
[BlackBasta] — 16:58 — Message 48/57
Any updates?
[Victim] — 18:51 — Message 49/57
payment was made. Can you confirm please
[BlackBasta] — 18:54 — Message 50/57
Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.
[BlackBasta] — 19:06 — Message 51/57
Payment received.
[BlackBasta] — 19:06 — Message 52/57
Your data is wiping.
[Victim] — 19:07 — Message 53/57
Thank you. I will stand by for all the agreed upon deliverables.
[BlackBasta] — 19:40 — Message 54/57
This is log of deletion ALL your taken data
Download: [REDACTED URL]
Delete: [REDACTED URL]&q=[redacted]
[BlackBasta] — 23:44 — Message 55/57
Download file: [redacted].ex
[BlackBasta] — 23:44 — Message 56/57
How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.
OR
1. Drop file.
2. Click right mouse button on the file and press run as admin.
(!) IMPORTANT, READ ALL BEFORE DECRYPTION PROCESS
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
3. MAKE BACKUPS of important files what you will decrypt, then you can rerun decryptor if something happens
4. You can decrypt partially encrypted files:
4.1. Make backup
4.2. Add encrypted extension (random for every company, you can ask in chat) to file
4.3. Run decryptor to folder what contains file
4.4. Now you can test file
5. Every decryption process saves file in same location with name of decrypted file with extension .kbckp. In this file you can find individual chacha keys for better recovery experience.
6. You can ask in chat about ECC keys (used to encrypt chacha keys) for your company.
7. Make sure you have at least 10 gb of free space on each disk.
8. To choose folder on linux decrypt.linux -forcepath /path
[BlackBasta] — 03:02 — Message 57/57
Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments.
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.