// Context
About This Negotiation
This transcript documents a BlackMatter ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 77 messages exchanged over Unknown.
The initial ransom demand was $15.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[BlackMatter] — 07 Sep, 00:44 AM [NY time] — Message 1/77
Hello and welcome to BlackMatter. How may I help you?
[Victim] — 10 Sep, 04:46 AM [NY time] — Message 2/77
Hello
[Victim] — 10 Sep, 04:46 AM [NY time] — Message 3/77
I need help with decrypt my data
[BlackMatter] — 10 Sep, 04:57 AM [NY time] — Message 4/77
To decrypt your files you have to purchase the decryption software. It costs $15m for you.
[Victim] — 10 Sep, 05:20 AM [NY time] — Message 5/77
This is too hiigh a price. Give me proof that the price is adequate for the data you have.
[BlackMatter] — 10 Sep, 07:13 AM [NY time] — Message 6/77
First of all, can you introduce yourself, state the company name and your position in it.
[Victim] — 10 Sep, 07:25 AM [NY time] — Message 7/77
I am a spokesperson for the company and I will sell the information to my customer. Because this is not secure communication, I do not want to state the name of the company and I assume that we will delete this chat after the meeting.
[Victim] — 10 Sep, 07:26 AM [NY time] — Message 8/77
I am authorized to communicate with you on behalf of the company and to establish conditions that will be acceptable to both parties.
[Victim] — 10 Sep, 07:29 AM [NY time] — Message 9/77
First of all, I would be happy if we set a price that is negotiable. Next, it would be good to submit information about the data you have in your possession so that we can consider paying the ransom and start negotiating the price.
[BlackMatter] — 10 Sep, 07:29 AM [NY time] — Message 10/77
We have the doubts you are from company we need the proofs that you are from there.
[BlackMatter] — 10 Sep, 07:30 AM [NY time] — Message 11/77
So how can you prove it?
[Victim] — 10 Sep, 07:33 AM [NY time] — Message 12/77
I can't prove it. We're gonna have to trust each other.
[Victim] — 10 Sep, 07:36 AM [NY time] — Message 13/77
If you want to pay, then this is the only way to come to an agreement. So that emotions are not used in the negotiations, I am here as an intermediary. My client doesn't want to negotiate, even though it seems to be the only option. Although they have backups, but the restoration will take some time, so I would like to negotiate an adequate price.
[BlackMatter] — 10 Sep, 07:35 AM [NY time] — Message 14/77
You cant prove it because you don't know it. This is just confirmed our doubts have a nice day.
[Victim] — 10 Sep, 07:37 AM [NY time] — Message 15/77
We are a protected society and I cannot afford to openly write who it is. I only know the owner of the company who owns several companies.
[Victim] — 10 Sep, 07:43 AM [NY time] — Message 16/77
If you do not want to cooperate, then I will pass this information on to the customer and the media to make it obvious that BlackMatter are a group of crooks.
[BlackMatter] — 10 Sep, 07:43 AM [NY time] — Message 17/77
This is ridiculous, you can prove it in hundreds different ways, without compromising so called “privacy”.
[Victim] — 10 Sep, 07:46 AM [NY time] — Message 18/77
Give an example.I only know the owners of the companies.
[BlackMatter] — 10 Sep, 07:46 AM [NY time] — Message 19/77
To start a cooperation, we have to know with whom we a dealing and you failing it. So far you looks as some boring guy who got a sample from virus total and obtained the chat link.
[Victim] — 10 Sep, 07:48 AM [NY time] — Message 20/77
They found this file in their system and that's why I came to your page C:\[redacted].README.txt
[BlackMatter] — 10 Sep, 07:49 AM [NY time] — Message 21/77
You can upload the company’s letterhead, you can tell to us domain controllers name, name of backing up software it is just a few)
[Victim] — 10 Sep, 07:50 AM [NY time] — Message 22/77
Actually I don't have much time to deal with authorization. I want to help the customer and negotiate the terms of cooperation. Just because anyone can watch this chat, I don't want to share any information and prove that I am who I am. Do you want to negotiate the price?
[BlackMatter] — 10 Sep, 07:52 AM [NY time] — Message 23/77
So far it looks as your main objective is to f*ck with us)
[Victim] — 10 Sep, 07:52 AM [NY time] — Message 24/77
The environment is isolated and analyzed by the forensics team and the police. I can't interfere with the investigation, and all the documentation has been encrypted, as the customer told me.
[Victim] — 10 Sep, 07:53 AM [NY time] — Message 25/77
I certainly don't feel like fucking with you. I want to talk and get this thing resolved as soon as possible.
[BlackMatter] — 10 Sep, 07:53 AM [NY time] — Message 26/77
Here we go again, to negotiate with whom with some random Joe?
[BlackMatter] — 10 Sep, 07:54 AM [NY time] — Message 27/77
Ok, this is simple prove you are from company or just go grab another sample from VT.
[Victim] — 10 Sep, 07:55 AM [NY time] — Message 28/77
Yes, let's talk about price and what you get for our data. Then we can discuss the price of the decryptor.
[Victim] — 10 Sep, 07:56 AM [NY time] — Message 29/77
What is VT?
[BlackMatter] — 10 Sep, 07:56 AM [NY time] — Message 30/77
Oh [redacted] you so clever) virustotal.com
[Victim] — 10 Sep, 07:59 AM [NY time] — Message 31/77
Oh, I see. So how do we do it?
[BlackMatter] — 10 Sep, 07:59 AM [NY time] — Message 32/77
You have the options
1. Internal windows domain name.
2. Domain administrators name.
3. Backup software name.
This information aren’t locked by encrypting software or police)
[Victim] — 10 Sep, 08:04 AM [NY time] — Message 33/77
1) [redacted]
[Victim] — 10 Sep, 08:04 AM [NY time] — Message 34/77
2) administrator
[BlackMatter] — 10 Sep, 08:06 AM [NY time] — Message 35/77
2) administrator
this is too generic give us another one
[Victim] — 10 Sep, 08:08 AM [NY time] — Message 36/77
[redacted]
[BlackMatter] — 10 Sep, 08:12 AM [NY time] — Message 37/77
Ok, John thank you. So you see the price, you need to pay it.
[Victim] — 10 Sep, 08:16 AM [NY time] — Message 38/77
Are we really not? This bill was sent to me by their owner. I'm gonna look like a fool if we don't agree on a price.
[BlackMatter] — 10 Sep, 08:19 AM [NY time] — Message 39/77
Your English is too sophisticated for me, can you try again)
[Victim] — 10 Sep, 08:22 AM [NY time] — Message 40/77
Are we really not? This account was sent by their owner. If we don't make a deal, I'm gonna look like an idiot.
[Victim] — 10 Sep, 08:23 AM [NY time] — Message 41/77
I don't speak English, so I translate automatically.
[BlackMatter] — 10 Sep, 08:31 AM [NY time] — Message 42/77
You see the demanded price. If you’ll pay it you will get.
1. The decrypting tools.
2. Your data back (we took 1.5TB, PII, NDA, emails, MSSQL databases)
3. A file tree.
4. Explanation how the company was breached.
[Victim] — 10 Sep, 08:40 AM [NY time] — Message 43/77
The price is not adequate. Give me a price I can pass on to the owner of the company.
[BlackMatter] — 10 Sep, 08:46 AM [NY time] — Message 44/77
We have no idea what a price is adequate for you. We can make 10% discount for fast payment and remove 25% BTC transaction fee. Make the offer. But to make it simple we will not consider the offer less than 7-figure number.
[Victim] — 10 Sep, 08:50 AM [NY time] — Message 45/77
Our idea was $500,000, but we can negotiate a price of $1,000,000. Give us proof that there is information sensitive enough to be of such value.
[BlackMatter] — 10 Sep, 08:53 AM [NY time] — Message 46/77
Do you want me upload a sample with office documents? The emails and sqls are too big but we have them all.)
[BlackMatter] — 10 Sep, 08:55 AM [NY time] — Message 47/77
One more detail we know the company doesn't have the backups. Rubrik is gone)
[Victim] — 10 Sep, 09:03 AM [NY time] — Message 48/77
We have offline backups. Ok show me the office document and a screenshot of the database.
[Victim] — 10 Sep, 09:04 AM [NY time] — Message 49/77
Do you also have the passwords of the domain users? Give me a screenshot.
[BlackMatter] — 10 Sep, 09:05 AM [NY time] — Message 50/77
You have tapes for [redacted] but they are useless without software.
[BlackMatter] — 10 Sep, 09:09 AM [NY time] — Message 51/77
This is the screenshot for DA hashes and passwords.
[REDACTED URL]
[Victim] — 10 Sep, 09:13 AM [NY time] — Message 52/77
We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible. What databases do you have?
[BlackMatter] — 10 Sep, 09:14 AM [NY time] — Message 53/77
Yo can get the sample by following link.
[REDACTED URL]
We will not make DB screenshots too much work.
[BlackMatter] — 10 Sep, 09:17 AM [NY time] — Message 54/77
We have dbs from
[redacted]SQL
SQL2014Test
[redacted]SQL1
[redacted]-SQL
[redacted]-SQL
[Victim] — 10 Sep, 09:22 AM [NY time] — Message 55/77
Data in databases should be encrypted. Just because you have database servers doesn't mean anything.
[BlackMatter] — 10 Sep, 09:25 AM [NY time] — Message 56/77
Should or is? )
[Victim] — 10 Sep, 09:29 AM [NY time] — Message 57/77
According to IT, it should be. Let's make a deal like this. If the data in the database is encrypted, we'll pay you $100,000 to decrypt it for us. If the data in the databases is not encrypted, then we'll pay you $700,000. $700,000 is the price we have to invest in recovery, and if the recovery with the decryptor is faster, then we'll save money on service outages.
[BlackMatter] — 10 Sep, 09:42 AM [NY time] — Message 58/77
To complicated, we said what will provide if we’ll agree on price. $700k is unacceptable.
[Victim] — 10 Sep, 09:47 AM [NY time] — Message 59/77
Okay, then the price is $1,000,000 if the data is readable.
[BlackMatter] — 10 Sep, 09:54 AM [NY time] — Message 60/77
Without any conditions, you are paying for decrypting tools and fast recovery, the data is collateral. You will not recover so easily without decryptor. We can do negotiations pretty long; time is on our side. If you are want to finish this fast make the acceptable offer.
[Victim] — 10 Sep, 09:59 AM [NY time] — Message 61/77
The data you hold is worse for us than having to recover it. The data you hold is worth no more than $1,000,000, which is why we are offering this price. We can restore the data from offline backups (we have tested this). A higher price than $1,000,000 is not acceptable to us. If you don't accept this price, then I need to check with the owner of the company what we will do next and if we can offer more money.
[BlackMatter] — 10 Sep, 10:04 AM [NY time] — Message 62/77
How you evaluate data’s price can I see a formula?
[BlackMatter] — 10 Sep, 10:12 AM [NY time] — Message 63/77
You can do incremental and we can do decremental steps, make the offer that we can turn down. 1 is to far away from 15.
[Victim] — 10 Sep, 10:16 AM [NY time] — Message 64/77
We evaluate it subjectively. We have already written to people about PII, so the reputational impact has already occurred. We're gonna put new passwords in Active Directory. Office documents aren't that valuable to us. The only thing of value is the databases.
[Victim] — 10 Sep, 10:18 AM [NY time] — Message 65/77
15 is meaningless. I thought 15 was just a number, but not the actual ransom.
[BlackMatter] — 10 Sep, 10:18 AM [NY time] — Message 66/77
We just checked the random db, data is fine and not encrypted. Have a look.
[REDACTED URL]
[Victim] — 10 Sep, 10:20 AM [NY time] — Message 67/77
I understand, but for us only the know-how and customer information in the databases is worth anything.
[Victim] — 10 Sep, 10:21 AM [NY time] — Message 68/77
I can see it now. Then name a price that makes sense for both sides.
[BlackMatter] — 10 Sep, 10:22 AM [NY time] — Message 69/77
Nothing sn meaningless, we did a good pentest for your company it has to be rewarded. $1kk is not enough. Do some consultations and come with a better offer.
[BlackMatter] — 10 Sep, 10:24 AM [NY time] — Message 70/77
One of your competitors was hit the same yesterday if it helps to your feelings.
[BlackMatter] — 10 Sep, 10:25 AM [NY time] — Message 71/77
If you will offer the good price today we can make a decent discount for you.
[Victim] — 10 Sep, 10:57 AM [NY time] — Message 72/77
I need to check with the management and the owners. What competitor do you think?
[BlackMatter] — 10 Sep, 11:01 AM [NY time] — Message 73/77
By the way they offer much more then you.
[Victim] — 10 Sep, 11:17 AM [NY time] — Message 74/77
I guess they don't have backup.
[BlackMatter] — 10 Sep, 11:19 AM [NY time] — Message 75/77
You either, you tried to do it on Sunday but you know what has happened.
[Victim] — 10 Sep, 11:23 AM [NY time] — Message 76/77
We are restoring. I'm gonna go talk to the management.
[BlackMatter] — 10 Sep, 11:24 AM [NY time] — Message 77/77
[REDACTED URL]