// Context
About This Negotiation
This transcript documents a BlackBasta ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 50 messages exchanged over Unknown.
The initial ransom demand was $150,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[BlackBasta] — 19:17 — Message 1/50
okay
[Victim] — 14:58 — Message 2/50
you have 110GB of our data? what data is it?
[BlackBasta] — 15:49 — Message 3/50
Wait please, we'll send you the list of your taken data.
[BlackBasta] — 16:01 — Message 4/50
Download file: [redacted].rar
[BlackBasta] — 16:02 — Message 5/50
You can choose any 5 file names from this list and we will send them to you, like a proof.
[Victim] — 14:04 — Message 6/50
ok thank you we will take a look
[BlackBasta] — 14:05 — Message 7/50
okay
[Victim] — 15:00 — Message 8/50
does this list represent all of the data you took?
[BlackBasta] — 15:08 — Message 9/50
Yes, this is full list.
[Victim] — 14:14 — Message 10/50
Here are the files that leadership has requested: Paperless\EMAILS 2020-2022\[redacted].msg
Vol4\[redacted].docx
Vol4\[redacted].pdf
Vol4\[redacted].pdf
Vol4\USER\[redacted].doc
[BlackBasta] — 14:15 — Message 11/50
Wait please.
[BlackBasta] — 14:27 — Message 12/50
Download file: [redacted].rar
[BlackBasta] — 14:27 — Message 13/50
These are requested files.
[Victim] — 13:41 — Message 14/50
Ok. We are having internet issues. Everyone is working from different locations. I will give these to leadership to review. No one will be back until Monday. I will write you then
[BlackBasta] — 13:43 — Message 15/50
Understood. Wait you on Monday.
[Victim] — 13:18 — Message 16/50
How do we know that your decryptor will work for our systems?
[BlackBasta] — 14:14 — Message 17/50
You can send some encrypted files, we decrypt them and send back to you. But these files must be unimportant.
[Victim] — 16:37 — Message 18/50
Ok, I will have leadership choose some files.
[BlackBasta] — 16:53 — Message 19/50
okay
[Victim] — 14:17 — Message 20/50
Download file: [redacted].jpg
[Victim] — 14:17 — Message 21/50
Download file: [redacted].doc
[Victim] — 14:18 — Message 22/50
Here are two files that leadership chose.
[BlackBasta] — 14:21 — Message 23/50
Wait please.
[BlackBasta] — 14:31 — Message 24/50
Download file: [redacted].jpg
[BlackBasta] — 14:31 — Message 25/50
Download file: [redacted].doc
[Victim] — 14:55 — Message 26/50
Ok, I will show these to leadership and will be back in touch with you
[BlackBasta] — 14:56 — Message 27/50
We'll in touch.
[Victim] — 13:46 — Message 28/50
My leadership has a meeting scheduled with the board on Monday afternoon. Before that meeting, is there any cost breaks that you could provide us? This event has had a significant impact on our company.
[BlackBasta] — 15:09 — Message 29/50
10% discount for you and we close the deal.
[Victim] — 13:53 — Message 30/50
Ok, I will provide this to my leaders and I will be back in touch on Monday afternoon.
[BlackBasta] — 15:39 — Message 31/50
Okay, we'll be in touch.
[Victim] — 20:33 — Message 32/50
Our leadership wants this to come to an end for both of us so we can get back to normality. They would like to offer $39,250 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please accept this offer so we can move on.
[BlackBasta] — 20:36 — Message 33/50
Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.
[BlackBasta] — 16:36 — Message 34/50
We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted], [redacted], [redacted], [redacted], [redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.
[Victim] — 17:18 — Message 35/50
What is meager to you, is not to us. Since this event we are struggling to get operational and have experienced tremendous losses. Leadership is prepared to offer $44,990 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please consider this offer as we are trying to get our business back operational.
[BlackBasta] — 17:43 — Message 36/50
We are ready to help restore all your systems and files to their original state very quickly, but the minimum amount we can accept is $150k. Less payment is not possible. Therefore, tell your manager if he wants to make a deal, then he look for this amount. If not, then further negotiations are pointless.
[Victim] — 13:27 — Message 37/50
Leadership is prepared to accept your offer of $150,000 with all fees included. This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again. Please send us your bitcoin wallet ID so we can proceed with payment.
[BlackBasta] — 14:06 — Message 38/50
Okay. We confirm all points. Our BTC wallet is [redacted]
[Victim] — 18:49 — Message 39/50
Ok. This may take some time, but please confirm when you receive payment. I will write you when it is sent.
[BlackBasta] — 19:04 — Message 40/50
Okay.
[BlackBasta] — 16:58 — Message 41/50
Any updates?
[Victim] — 18:51 — Message 42/50
payment was made. Can you confirm please
[BlackBasta] — 18:54 — Message 43/50
Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.
[BlackBasta] — 19:06 — Message 44/50
Payment received.
[BlackBasta] — 19:06 — Message 45/50
Your data is wiping.
[Victim] — 19:07 — Message 46/50
Thank you. I will stand by for all the agreed upon deliverables.
[BlackBasta] — 19:40 — Message 47/50
This is log of deletion ALL your taken data
Download: [REDACTED URL]
Delete: [REDACTED URL]&q=[redacted]
[BlackBasta] — 23:44 — Message 48/50
Download file: [redacted].ex
[BlackBasta] — 23:44 — Message 49/50
How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.
OR
1. Drop file.
2. Click right mouse button on the file and press run as admin.
(!) IMPORTANT, READ ALL BEFORE DECRYPTION PROCESS
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
3. MAKE BACKUPS of important files what you will decrypt, then you can rerun decryptor if something happens
4. You can decrypt partially encrypted files:
4.1. Make backup
4.2. Add encrypted extension (random for every company, you can ask in chat) to file
4.3. Run decryptor to folder what contains file
4.4. Now you can test file
5. Every decryption process saves file in same location with name of decrypted file with extension .kbckp. In this file you can find individual chacha keys for better recovery experience.
6. You can ask in chat about ECC keys (used to encrypt chacha keys) for your company.
7. Make sure you have at least 10 gb of free space on each disk.
8. To choose folder on linux decrypt.linux -forcepath /path
[BlackBasta] — 03:02 — Message 50/50
Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments.
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.