Conti Ransomware Negotiation — Redacted Organisation

// Context

About This Negotiation

This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 6 messages exchanged over Unknown.

The initial ransom demand was $22.5M. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.

[Victim] — 11/21/2020, 10:03:56 AM — Message 1/6

[redacted]: hello

[Victim] — 11/21/2020, 10:04:41 AM — Message 2/6

[redacted]: how money

[Conti] — 11/21/2020, 10:17:36 AM — Message 3/6

Support: The price for full decryption and safe data removal from our servers will be $14000000 (750 BTC). This initial offer was based on the details about your revenue and internal financial documents we currently have access to. If you want to make sure we can decrypt all of your data - you can send us the two files of your choice and we will decrypt them free of charge. Besides the encryption process we've downloaded a large pack of your internal documents, databases content and files. In case the negotiations fail - the data will be published on our news site. If we reach mutual agreement none of your internal data will be published, all the backdoors will be removed and you will be provided with security tips on how to avoid further breaches.

[Conti] — 11/26/2020, 9:48:12 PM — Message 4/6

Support: If we don't hear any reply from your side, than the press release will some part of your internal documents will be posted tomorrow on our news site.

[Conti] — 11/27/2020, 2:50:48 PM — Message 5/6

Support: You can check out the press release on our news site : [REDACTED URL] If you are not going to get in touch with us - we will continue publishing all the data we have.

[Conti] — 12/11/2020, 11:02:48 AM — Message 6/6

Support: We are going to release the database content on Monday. If you want to stop it - just let me know.

// Analysis

Analyst Observations

This was a brief exchange — either the victim responded quickly or disengaged early.
The initial demand of $22.5M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
Conti was a major ransomware operation that effectively shut down in May 2022 after internal chat logs were leaked. Members dispersed to other groups including Royal, BlackBasta, and Karakurt.

Conti Ransomware Negotiation — Redacted Organisation

About This Negotiation

Full Transcript — Verbatim

Analyst Observations

Facing a Ransomware Demand?