// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 146 messages exchanged over Unknown.
The initial ransom demand was $9.1M. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 12/30/2020, 2:34:05 PM — Message 1/146
[redacted]: Help?
[Conti] — 12/30/2020, 2:56:23 PM — Message 2/146
Support: Hello
[Conti] — 12/30/2020, 2:57:23 PM — Message 3/146
Support: Are you ready to negotiate?
[Conti] — 12/30/2020, 3:07:43 PM — Message 4/146
Support: As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website [REDACTED URL] (TOR mirror: [REDACTED URL]
The recovery price is $8500000 (302.5 BTC). This initial offer is based on the details about your revenue and internal financial documents we currently have access to. If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published, all the backdoors will be removed from your network and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner to avoid additional expenses from your side on security software and on building the new network from scratch.
[Victim] — 12/30/2020, 3:14:33 PM — Message 5/146
[redacted]: That's a crazy price. How do we even know if this will work?
[Conti] — 12/30/2020, 3:15:25 PM — Message 6/146
Support: You can send 2 files for decrypt. Its free.
[Conti] — 12/30/2020, 3:17:52 PM — Message 7/146
Support: In addition, we have stolen more than 1 terabyte of information from your network.
[Victim] — 12/30/2020, 3:21:06 PM — Message 8/146
[redacted]: We have a lot of questions. Maybe you've got the wrong price because we have no idea what internal financial documents show that we can pay $8,500,000.
[Conti] — 12/30/2020, 3:31:45 PM — Message 9/146
Support: Hours and Revenue analysis November 2020 YTD (2).xlsx [ 52kB ]
[Victim] — 12/30/2020, 3:35:55 PM — Message 10/146
[redacted]: I'm not in finance but those look like revenue numbers, not profits. Can you share the files you've taken so that our team can verify?
[Conti] — 12/30/2020, 3:37:42 PM — Message 11/146
Support: Yes. Please wait.
[Victim] — 12/30/2020, 3:38:06 PM — Message 12/146
[redacted]: Thanks. I should have 2 files for you shortly.
[Conti] — 12/30/2020, 3:44:47 PM — Message 13/146
Support: list_firstpart.zip [ 5MB ]
[Victim] — 12/30/2020, 3:51:40 PM — Message 14/146
[redacted]: What's this?
[Conti] — 12/30/2020, 3:52:15 PM — Message 15/146
Support: Listing of the first part of the stolen information
[Victim] — 12/30/2020, 3:58:55 PM — Message 16/146
[redacted]: Will we get more parts later?
[Conti] — 12/30/2020, 4:00:24 PM — Message 17/146
Support: Yes, we are unpacking a terabyte. It will take a lot of time.
You can select any file from the listing and we will discard it as proof that we have these files.
[Victim] — 12/30/2020, 4:06:27 PM — Message 18/146
[redacted]: Ok please let us know once it has been unpacked. It will be important to get the full listing
[Victim] — 12/30/2020, 4:06:47 PM — Message 19/146
[redacted]: [redacted]-EMEA.xml.[redacted] [ 3kB ]
[Victim] — 12/30/2020, 4:07:10 PM — Message 20/146
[redacted]: Can you decrypt this?
[Conti] — 12/30/2020, 4:08:50 PM — Message 21/146
Support: I have sent your file to the technical department. Wait.
[Conti] — 12/30/2020, 6:00:58 PM — Message 22/146
Support: [redacted]-EMEA.xml [ 2kB ]
[Victim] — 12/30/2020, 11:20:05 PM — Message 23/146
[redacted]: We're going to review all these files.Any update on the 1 TB?
[Conti] — 12/31/2020, 1:33:54 AM — Message 24/146
Support: Will upload the file listing as soon as it's ready.
[Victim] — 12/31/2020, 2:01:24 PM — Message 25/146
[redacted]: Ok we'll be here. Thanks
[Conti] — 12/31/2020, 2:29:43 PM — Message 26/146
Support: 25 % ready.
This is a very slow process. Wait.
[Conti] — 12/31/2020, 2:30:23 PM — Message 27/146
Support: It will take a few days
[Conti] — 12/31/2020, 2:31:01 PM — Message 28/146
Support: You can choose ANY file from the listing above and we will discard it as proof
[Victim] — 12/31/2020, 9:23:03 PM — Message 29/146
[redacted]: We'll work on that. Offices are closed the next few days but we'll be in touch. Ok?
[Victim] — 12/31/2020, 9:23:11 PM — Message 30/146
[redacted]: This is our priority
[Conti] — 12/31/2020, 9:30:38 PM — Message 31/146
Support: Ok, just keep us updated on your progress.
[Conti] — 1/1/2021, 2:20:17 PM — Message 32/146
Support: 50% Ready
[Conti] — 1/2/2021, 10:40:13 AM — Message 33/146
Support: 70% Ready
[Victim] — 1/2/2021, 1:36:54 PM — Message 34/146
[redacted]: Thanks. We're still here
[Victim] — 1/2/2021, 4:06:21 PM — Message 35/146
[redacted]: While you're pulling the file tree, can you send us this file? 05/07/2020 02:55 PM 106,393 [redacted] - Draft 2020 05 06 v2.docx
[Conti] — 1/2/2021, 5:08:27 PM — Message 36/146
Support: Yes, will upload soon
[Conti] — 1/2/2021, 6:43:36 PM — Message 37/146
Support: [redacted]---draft-2020-05-06-v2.docx [ 104kB ]
[Conti] — 1/3/2021, 6:25:38 AM — Message 38/146
Support: %90 ready
[Victim] — 1/3/2021, 4:38:25 PM — Message 39/146
[redacted]: Thanks, still here and checking in.
[Conti] — 1/3/2021, 5:18:45 PM — Message 40/146
Support: 100% ready.
Wait listing
[Conti] — 1/3/2021, 5:24:33 PM — Message 41/146
Support: listing_1tb.zip [ 9.2MB ]
[Conti] — 1/3/2021, 5:25:13 PM — Message 42/146
Support: You can choose ANY file from the listing above and we will discard it as proof
[Victim] — 1/4/2021, 1:36:29 PM — Message 43/146
[redacted]: Thanks. So this is a directory of every single file you've taken from our network?
[Conti] — 1/4/2021, 2:21:52 PM — Message 44/146
Support: yes
[Conti] — 1/4/2021, 2:22:42 PM — Message 45/146
Support: total of data more 1tb
[Conti] — 1/4/2021, 2:29:38 PM — Message 46/146
Support: so, what other questions do you have?
[Victim] — 1/4/2021, 4:21:12 PM — Message 47/146
[redacted]: Thanks. We are looking now
[Conti] — 1/4/2021, 7:25:14 PM — Message 48/146
Support: so ?
[Victim] — 1/4/2021, 10:12:32 PM — Message 49/146
[redacted]: This is a lot of data to review. How did you get these files off our network?
[Conti] — 1/4/2021, 10:16:59 PM — Message 50/146
Support: Packing data into an archive provides compression up to 95%
[Conti] — 1/4/2021, 10:18:35 PM — Message 51/146
Support: After the deal is concluded, we will give recommendations on how to prevent this.
[Conti] — 1/4/2021, 10:19:03 PM — Message 52/146
Support: I propose to return to the discussion of the agreement
[Conti] — 1/4/2021, 10:27:23 PM — Message 53/146
Support: After the conclusion of the agreement, we overwrite the data
[Victim] — 1/4/2021, 10:46:43 PM — Message 54/146
[redacted]: Yes, we want to discuss the agreement. $8,500,000 is a lot of money. We're just trying to see all the details because that is still an unexpected amount.
[Victim] — 1/4/2021, 10:47:05 PM — Message 55/146
[redacted]: Even if we had that much money, how do we know you won't just take the money and resell the data?
[Conti] — 1/4/2021, 10:49:20 PM — Message 56/146
Support: We will show the cleaning logs
[Conti] — 1/4/2021, 10:53:38 PM — Message 57/146
Support: This price is indicated for restoring ALL data in your network and deleting data on our servers
[Conti] — 1/4/2021, 10:54:46 PM — Message 58/146
Support: We will give a decryptor and you will restore all the work
[Conti] — 1/5/2021, 6:39:28 AM — Message 59/146
Support: We value our reputation and never leak any data after the deal is closed
[Victim] — 1/5/2021, 7:45:42 AM — Message 60/146
[redacted]: Alright, so we are thinking this through now. I will get back to you soon, alright?
[Conti] — 1/5/2021, 7:46:25 AM — Message 61/146
Support: Ok, waiting.
[Victim] — 1/5/2021, 7:06:47 PM — Message 62/146
[redacted]: We're trying to get answers on our end. Thanks for waiting
[Conti] — 1/5/2021, 7:10:31 PM — Message 63/146
Support: Ok
waiting
[Conti] — 1/5/2021, 7:11:51 PM — Message 64/146
Support: If you have any questions - we can help you
But the sooner you conclude an agreement, the sooner you will resume work and will no longer suffer losses due to this situation.
[Victim] — 1/5/2021, 7:40:18 PM — Message 65/146
[redacted]: Can you send this file?
08/03/2020 05:14 PM 13,697 [redacted]_v4 CL.docx
[Conti] — 1/5/2021, 7:41:36 PM — Message 66/146
Support: Yes
Wait
[Conti] — 1/5/2021, 7:42:23 PM — Message 67/146
Support: [redacted]_v4-cl.docx [ 13kB ]
[Victim] — 1/5/2021, 7:47:36 PM — Message 68/146
[redacted]: Thanks for the quick response
[Conti] — 1/5/2021, 7:48:00 PM — Message 69/146
Support: Are you convinced? There is really a lot of your data here
[Victim] — 1/5/2021, 7:53:54 PM — Message 70/146
[redacted]: We certainly see that you have our data. Nothing to hide there
[Victim] — 1/5/2021, 7:54:11 PM — Message 71/146
[redacted]: It's the price that's causing us heartburn...
[Conti] — 1/5/2021, 7:57:28 PM — Message 72/146
Support: Publishing data will cause customer churn and you will lose much more. It is more profitable to work with us
[Victim] — 1/5/2021, 10:02:26 PM — Message 73/146
[redacted]: Yes, but how do we pay if we don't have the cash?
[Conti] — 1/6/2021, 7:48:31 AM — Message 74/146
Support: There are plenty of ways to get the cash, like insurance or a corporate loan.
[Victim] — 1/6/2021, 7:53:21 AM — Message 75/146
[redacted]: If those were option we would have pulled those levers already!
[Conti] — 1/6/2021, 7:58:29 AM — Message 76/146
Support: We are ready to hear your proposal which is based on your abilities, but it should be relevant to the initial offer.
[Victim] — 1/6/2021, 7:22:39 PM — Message 77/146
[redacted]: We are treating this as a data leak, no matter what. However, there is some upside to getting the files deleted (even though there are no assurances). Millions of dollars is excessive for this type of data and we don't have much need for a decryptor. Our proposal is $250,000.
[Conti] — 1/6/2021, 7:48:08 PM — Message 78/146
Support: That is way lower than your abilities and not as relevant to our expectations as we thought. Although I will pas your offer to my boss and get back to you.
[Victim] — 1/7/2021, 7:46:05 AM — Message 79/146
[redacted]: Sounds good. Thanks.
[Conti] — 1/7/2021, 8:55:46 AM — Message 80/146
Support: We've discussed internally, and taking in consideration the facts that you are trying to work this through and the fact that you don't need the decryption tool I've managed to convince my boss to provide you the huge discount by going down to $2125000 (70% discount). If we close the deal this way we have to intention to sell or publish your data of course.
[Victim] — 1/7/2021, 7:41:23 PM — Message 81/146
[redacted]: We are still far apart but we view this is a positive step. Thank you.
[Victim] — 1/7/2021, 7:41:34 PM — Message 82/146
[redacted]: Can we discuss with our team?
[Conti] — 1/7/2021, 7:41:54 PM — Message 83/146
Support: yes
[Victim] — 1/8/2021, 1:41:55 PM — Message 84/146
[redacted]: This reduction is interesting. It's almost end of week here and some of our management wants to discuss. Can we reach out next week?
[Conti] — 1/8/2021, 1:46:38 PM — Message 85/146
Support: Yes, sure, let's get back to this on Monday. Just keep us updated on the progress.
[Victim] — 1/8/2021, 7:53:02 PM — Message 86/146
[redacted]: Ok
[Victim] — 1/11/2021, 6:15:35 PM — Message 87/146
[redacted]: We're connecting on this topic later today and tomorrow morning. We may be able to increase the dollar amount.
[Conti] — 1/12/2021, 8:45:38 AM — Message 88/146
Support: Ok, will be waiting for further details
[Victim] — 1/12/2021, 10:32:48 PM — Message 89/146
[redacted]: We have reviewed the data and while the files contain company information, they will not cause millions in damage. Even if they did, we'd have to live with that because we are on a tight budget in 2021. However, we think there is some value with your cooperation and we're prepared to pay $400,000 immediately. We can work out the details if you want to make a profit. Otherwise, we may be out of opportunities.
[Conti] — 1/12/2021, 11:38:56 PM — Message 90/146
Support: We will discuss internally and get back to you soon.
[Victim] — 1/13/2021, 8:13:13 AM — Message 91/146
[redacted]: great, ok thank you.
[Conti] — 1/13/2021, 10:58:09 AM — Message 92/146
Support: We've discussed, despite the fact that my boss considers our last offer reasonable I managed to convince him to review it. He agreed to go down to $600k if the deal will be closed by the end of this week. Once the transfer is made you will be provided with security recommendations on network improvement, breach details, all you files will be completely wiped from our servers once and for all.
Also we can upload your files to mega.nz secure share and provide you with full access to it. That's a fair offer and I did everything possible to make it work. Hope you appreciate.
[Victim] — 1/13/2021, 6:24:56 PM — Message 93/146
[redacted]: We do appreciate that but we'll need to discuss since it's more money than what we have at the moment. Before we discuss, can you also confirm that we would receive a decryption tool in addition to the above deliverables?
[Conti] — 1/13/2021, 8:08:47 PM — Message 94/146
Support: As I remember you do not need a decryption tool. Am I mistaken? Most of the discount was provided based on the fact that you do not need the decryption.
[Victim] — 1/13/2021, 8:16:03 PM — Message 95/146
[redacted]: There are some files that would save us time. $400,000 is not a small amount.
[Conti] — 1/13/2021, 8:27:04 PM — Message 96/146
Support: That is way below our offer. Yes, surely the decryptor would save you some time, and time means money. The $600k offer was for the data we hold. As you must understand we have some experience in negotiations, and you are trying to put us in the position that you think we accept, based on the basic information that is in the the press about usual sum we get. Relying on the press or public opinion is a mistake. About 75% of our deals are never leaked to the public or revealed. We will be waiting for your decision by tomorrow. $600k for the files or something better for full pack.
[Victim] — 1/13/2021, 10:28:14 PM — Message 97/146
[redacted]: Yes, we know you are very experienced. We can sense it. All we're doing is seeing how much money we can spend, and $400,000 is an large sum. If we go down this path, then we certainly want all of the items that are available.
[Victim] — 1/13/2021, 10:30:33 PM — Message 98/146
[redacted]: We've read about you in the press but we have no idea about the usual sum that you get. No one here wants to play games, and that's why we're trying to finalize the deliverables in advance. We want a solution and we assume you want to get paid. But $400,000 is only available if we can get everything. How else can we afford to pay that much?
[Conti] — 1/14/2021, 5:24:58 AM — Message 99/146
Support: The $400k is too low anyways. I will talk to my boss and try to get an offer for $600k that will contain the decryptor. Give me few hours.
[Victim] — 1/14/2021, 7:58:23 AM — Message 100/146
[redacted]: Alright - your best offer that includes the decryptor will be taken under very serious consideration. Thank you.
[Conti] — 1/14/2021, 1:57:30 PM — Message 101/146
Support: Talked to my boss. When he heard about the decryption tool being needed, at first he was ready to move back to the previous offer or at least move to 1.2mil (x2 from the data offer), but we've decided not too be hard on you and are ready to stay at $750k. Take this to the management and let me know what they decide.
[Victim] — 1/14/2021, 3:02:47 PM — Message 102/146
[redacted]: I appreciate you trying. We have a lot of money set aside for this but $750,000 just won't be possible. If the price was $600,000 then we may have been able to push closer to that. But at $750,000, it is just so far...
[Conti] — 1/14/2021, 3:05:00 PM — Message 103/146
Support: We can leave it $600k if the transfer will be done today or tomorrow.
The BTC wallet is : [redacted]
[Victim] — 1/14/2021, 3:10:31 PM — Message 104/146
[redacted]: Let me discuss with the team. This is still above our budget but we can try to work towards it quickly. Thanks.
[Victim] — 1/14/2021, 10:51:32 PM — Message 105/146
[redacted]: We took this management and discussed. They were certainly appreciative of you being able to include the decryptor in the $600,000 price. While the price itself is still high for us, we feel more confident in being able to move past this with you. We may be paying more than the value, but want to keep the positivity in our discussions. As a result, we can increase our offer to $450,000 and can begin the transfer soon if you are with us. Thank you.
[Conti] — 1/15/2021, 12:23:42 AM — Message 106/146
Support: $600k.
take it back.
[Conti] — 1/15/2021, 12:24:47 AM — Message 107/146
Support: And the sum will be increased if we will not receive the funds within mentioned time frames.
[Victim] — 1/15/2021, 7:44:07 AM — Message 108/146
[redacted]: Well, increasing the sum is not going to get us any closer. I will get back to you in a bit.
[Victim] — 1/15/2021, 1:06:43 PM — Message 109/146
[redacted]: We had an early morning call. $450,000 is our limit and this is more than what we anticipated paying. We can start the payment process soon if you can agree. Otherwise, this may not be the ending we had hoped for.
[Victim] — 1/15/2021, 1:11:35 PM — Message 110/146
[redacted]: We know you worked hard to make this work and we appreciate it. It's just that we're at our limit.
[Conti] — 1/15/2021, 5:48:18 PM — Message 111/146
Support: You still have a little time to conclude an agreement on the terms above. Then the price will increase.
[Victim] — 1/15/2021, 5:51:22 PM — Message 112/146
[redacted]: We have worked day and night to make this work and we understand you're doing the same. If the price goes up then there is no way we can pay. All we ask is for a little help so that we can get the cash in your hands. $450,000 is not a small amount for us.
[Conti] — 1/15/2021, 5:53:04 PM — Message 113/146
Support: I'm sorry. I'll talk to the boss today, but I'm afraid he'll stand his ground.
[Victim] — 1/15/2021, 6:16:59 PM — Message 114/146
[redacted]: Thank you. That would be helpful
[Victim] — 1/16/2021, 8:28:15 AM — Message 115/146
[redacted]: Did you talk to your boss today?
[Conti] — 1/16/2021, 12:32:26 PM — Message 116/146
Support: Not yet, will update you as soon as he replies.
[Conti] — 1/16/2021, 3:28:31 PM — Message 117/146
Support: Ok. $450k. BTC wallet : [redacted]
[Victim] — 1/16/2021, 3:59:08 PM — Message 118/146
[redacted]: Thank you. Can you confirm what we will receive in return of a $450,000 payment?
[Conti] — 1/16/2021, 4:11:58 PM — Message 119/146
Support: - Decryption tool.
- Your data will be wiped from our servers
- Security improvement tips
[Victim] — 1/16/2021, 4:25:54 PM — Message 120/146
[redacted]: And the files will be uploaded to mega.nz for us to review?
[Conti] — 1/16/2021, 4:41:15 PM — Message 121/146
Support: we can upload on mega. yes.
[Victim] — 1/16/2021, 4:45:20 PM — Message 122/146
[redacted]: Ok, we'll be in touch. It may be hard since this is a holiday weekend but we'll send an update
[Victim] — 1/18/2021, 1:59:59 PM — Message 123/146
[redacted]: We're hoping to pay by tomorrow, since today is a holiday. Ok?
[Conti] — 1/18/2021, 3:06:36 PM — Message 124/146
Support: Yes. Let me know as soon as the transfer is made.
[Victim] — 1/19/2021, 2:04:16 PM — Message 125/146
[redacted]: Still here? Can you confirm the wallet for $450,000?
[Conti] — 1/19/2021, 2:14:23 PM — Message 126/146
Support: Yes, just a minute.
[Conti] — 1/19/2021, 2:14:45 PM — Message 127/146
Support: The BTC wallet is the same : [redacted]
[Victim] — 1/19/2021, 7:17:31 PM — Message 128/146
[redacted]: We have paid. Please confirm
[Conti] — 1/19/2021, 7:19:28 PM — Message 129/146
Support: The payment is pending. As soon as it's confirmed you will be provided with decryption software with the instructions on how to use it.
[Victim] — 1/19/2021, 7:32:36 PM — Message 130/146
[redacted]: Ok. And when will get access to the files that you took?
[Conti] — 1/19/2021, 7:33:30 PM — Message 131/146
Support: We will upload them to the mega.nz share the soonest possible.
[Victim] — 1/20/2021, 8:26:11 AM — Message 132/146
[redacted]: Do you have our tool yet?
[Conti] — 1/20/2021, 10:24:45 AM — Message 133/146
Support: Will be ready within next 4-5 hours.
[Conti] — 1/20/2021, 3:12:06 PM — Message 134/146
Support: [redacted]_decryptor.exe [ 102kB ]
[Victim] — 1/20/2021, 3:22:04 PM — Message 135/146
[redacted]: We're taking a look now. Any update on mega.nz?
[Conti] — 1/20/2021, 3:22:59 PM — Message 136/146
Support: It's pretty much data so it keeps being uploaded. Will update you as soon as it's ready.
[Victim] — 1/20/2021, 4:24:43 PM — Message 137/146
[redacted]: Thank you. Please keep us updated
[Victim] — 1/21/2021, 1:21:53 PM — Message 138/146
[redacted]: Will it be available today?
[Conti] — 1/21/2021, 2:21:46 PM — Message 139/146
Support: please wait. about 1 tb
[Conti] — 1/22/2021, 3:04:28 AM — Message 140/146
Support: %50 ready
wait
[Conti] — 1/22/2021, 7:50:03 PM — Message 141/146
Support: %90 ready
[Victim] — 1/22/2021, 7:51:54 PM — Message 142/146
[redacted]: Ok. Please keep us updated
[Victim] — 1/23/2021, 2:00:30 PM — Message 143/146
[redacted]: Is there any update on when mega.nz will be ready?
[Conti] — 1/23/2021, 2:26:25 PM — Message 144/146
Support: i check now
wait
[Conti] — 1/23/2021, 2:27:37 PM — Message 145/146
Support: [REDACTED URL]
check please
download all and open first archive
unzip and see
write please and we will delete from mega
[Victim] — 1/23/2021, 8:48:20 PM — Message 146/146
[redacted]: Thank you. I will let you know.