// Context
About This Negotiation
This transcript documents a BlackBasta ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 50 messages exchanged over Unknown.
The initial ransom demand was $2.8M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[BlackBasta] — 12:34 — Message 1/50
Do you need a private chat?
[BlackBasta] — 12:35 — Message 2/50
This chat can include people from your company (your employees, for example), as they may have found the note on their computers. In order to avoid leaking our conversation, we can create a private chat for you. Do you need it?
[Victim] — 12:40 — Message 3/50
where would this private chat be and what is wrong with talking here? What is this about and did you take our data?
[BlackBasta] — 12:58 — Message 4/50
We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 540GB of a sensitive information and data from your network.
Check your page in our blog. Right now we're keeping it secret. However, if we don't come to an agreement within 10 days, it'll be posted on our news board.
We will let everyone who wants to connect to your network and get all the necessary data from your.
Decryption price is $2,750,000. In case of successful negotiations we guarantee you will get:
1) Decryptor for all your Windows and Hyper-V machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.
Hope you can correctly assess the risks for your company.
You can find more information about Black Basta Group in Google.
[BlackBasta] — 12:58 — Message 5/50
[REDACTED URL]
This is full list of your taken data.
[BlackBasta] — 12:58 — Message 6/50
You can choose from this list any 3-5 file names and I will send them to you as a proof. But files should not contain important information.
[Victim] — 11:56 — Message 7/50
Thank you for providing the list. My leadership and IT team are currently reviewing it. It is a large list and it will take some time.
[BlackBasta] — 13:50 — Message 8/50
Okay, we'll be in touch.
[Victim] — 12:41 — Message 9/50
Just making you aware it is a holiday here. When my team selects the file names we will send them.
[BlackBasta] — 15:06 — Message 10/50
okay, we are in touch.
[Victim] — 13:45 — Message 11/50
Thank you for your patience.
[Victim] — 11:51 — Message 12/50
[redacted].pdf // [redacted].docx \\ [redacted].csv // [redacted].xlsx // [redacted].tif
[Victim] — 11:51 — Message 13/50
Here are some file names.
[BlackBasta] — 18:05 — Message 14/50
[REDACTED URL]
[BlackBasta] — 18:05 — Message 15/50
Your requested files.
[Victim] — 12:09 — Message 16/50
Thank you for providing those. I will have my IT and Leadership team look over these.
[BlackBasta] — 14:52 — Message 17/50
Okay, we'll be in touch.
[Victim] — 14:39 — Message 18/50
Understood. No one is in the office today since it is Sunday. We will reach back out to you on Monday.
[BlackBasta] — 17:13 — Message 19/50
ok, we are in touch.
[Victim] — 11:44 — Message 20/50
We have reviewed the files. How does your decryption process work? Do you send us one decryptor that restores all our systems or do you send decryptors for each system affected?
[BlackBasta] — 16:58 — Message 21/50
I can restore all your systems and data in to the original state. We can easily check it. You send me 3 encrypted files, I decrypt them and send you back to you. But these files should not contain important information.
[BlackBasta] — 17:01 — Message 22/50
After payment you receive one decryptor that restores all your systems.
[Victim] — 12:38 — Message 23/50
Thank you for the information. We will work on getting some files to send you. How long will it take us to restore once we receive your tools?
[BlackBasta] — 15:36 — Message 24/50
Recovery time depends on the size of your system. Usually takes about 1 day.
[Victim] — 13:27 — Message 25/50
We appreciate you answering our questions. I am still waiting for the files to test. When you say you will bring our systems and data to their original state, does that mean you guarantee that your tool will work on everything?
[BlackBasta] — 20:04 — Message 26/50
We think that you are simply delaying the time, and there is nothing to discuss. We have given the proof of the availability of files, we can also decrypt several encrypted files as a test for demonstrating our decryptor tool. That's all the discussions. Then you must pay the required amount, and we'll provide the program and help restore all your systems and data, also we'll delete all your data and send the deletion log.
[Victim] — 14:23 — Message 27/50
there was no delaying in time your chat has been down for several days. We have files for you
[Victim] — 14:23 — Message 28/50
Download file: [redacted].docx
[Victim] — 14:24 — Message 29/50
Download file: [redacted].docx
[Victim] — 14:24 — Message 30/50
Download file: [redacted].docx
[BlackBasta] — 20:26 — Message 31/50
Download file: [redacted].docx
[BlackBasta] — 20:26 — Message 32/50
Download file: [redacted].docx
[BlackBasta] — 20:26 — Message 33/50
Download file: [redacted].docx
[Victim] — 13:34 — Message 34/50
Thank you for this. It is Sunday and that means no decision makers are here. We will be back in touch tomorrow.
[Victim] — 13:06 — Message 35/50
My leadership and IT team are currently reviewing the files.
[Victim] — 14:37 — Message 36/50
We have reviewed the files. Thank you for letting us test your decryption tool. A question has come up from my leadership. Will you provide assistance during the decryption process if we need it? How long will you keep the chat open?
[BlackBasta] — 07:20 — Message 37/50
We will give you a full support the decryption process if you need it. Chat will be open until we have fully fulfilled our obligations.
[BlackBasta] — 07:20 — Message 38/50
Also, after the payment:
1. You receive decryptors (Windows and Linux OS).
2. Your page will be totally deleted from the blog.
3. ALL your data will be deleted from our server and you will receive the full deletion log.
4. You will get penetration report and recommendations how to avoid such the situations in the future.
5. You receive the guarantee that Black Basta or anyone of our team will not NEVER attack you again.
[Victim] — 14:36 — Message 39/50
Okay. Thank you. I will take this to my leadership. We appreciate you answering our questions.
[BlackBasta] — 07:45 — Message 40/50
Okay, we'll be in touch.
[BlackBasta] — 10:21 — Message 41/50
Any updates?
[Victim] — 12:26 — Message 42/50
We appreciate you working with us and answering our questions. You are however, asking us to pay you a lot of money and we need time to place ourselves in a better financial position to reach an agreement with you. My leadership team is set to meet and discuss this in its finality next Thursday. If you could give us time from now until Friday morning to work hard to place ourselves in a better position, it would show a lot of good faith between us. We were also wondering if there were any discounts available to us so that I could bring that to my leadership during their meeting.
[BlackBasta] — 19:38 — Message 43/50
You had a lot off time. You have time until Monday. If your proposal is not satisfying us on Monday, we will start to publish your data on Tuesday and delete the chat.
[BlackBasta] — 10:03 — Message 44/50
We will take a step towards and make a 25% discount from the initial cost if you pay next week.
[Victim] — 15:08 — Message 45/50
We appreciate the 25% discount and I will bring that to their attention. Monday is not enough time for us to put ourselves in a better financial position to reach what you are asking. Due to the time of year it is difficult to get all of the leadership together to meet on this. Thursday is the earliest they can all meet so they can all be on the same page with this situation. We are trying to work with you and we need you to work with us.
[BlackBasta] — 10:53 — Message 46/50
Sir, you see that we try to act as a businessman who like their business. We are patient, but we need to clearly understand how much time you need to be ready to pay. We can't wait forever.
[Victim] — 13:05 — Message 47/50
We understand and we need until Friday due to our leadership all meeting on Thursday evening so that they can all be on the same page.
[BlackBasta] — 16:28 — Message 48/50
Okay, you have time until Friday. If your proposal is not satisfying us on Friday, we will start publishing your data on the weekend.
[Victim] — 16:40 — Message 49/50
Thank you. We will reach out to you then.
[BlackBasta] — 14:31 — Message 50/50
You made your choice. Your time has passed, we are preparing your data for publication.