// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 45 messages exchanged over Unknown.
The initial ransom demand was $150,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Conti] — 5/3/2021, 3:35:07 PM — Message 1/45
Welcome! We are ready to help you.
[Victim] — 5/3/2021, 9:24:15 PM — Message 2/45
Our data is encrypted. Is there a way to get it back?
[Conti] — 5/3/2021, 9:32:15 PM — Message 3/45
You need pay for decrypt your files. Your price is 900.000$
[Conti] — 5/3/2021, 9:32:54 PM — Message 4/45
The faster you pay the better for pricing - you can get discounts.
[Conti] — 5/3/2021, 9:33:39 PM — Message 5/45
You need to pay this amount and we will give you decryptor for all your network, file tree on what we have downloaded from your network and wiping log of that information.
[Conti] — 5/3/2021, 9:34:40 PM — Message 6/45
You can choose not to pay and then your data will be published in the media with subsequent sale.
[Victim] — 5/4/2021, 4:30:45 PM — Message 7/45
Ok. What kind of discount can we get?
[Conti] — 5/4/2021, 8:59:39 PM — Message 8/45
Let me give you an example : If you will decide to pay in nearest 48 hours, you can get 100k discount.
We are interested in fast and effective communication, so be wise and don't waste each others time.
[Victim] — 5/4/2021, 11:00:07 PM — Message 9/45
We don't want to waste anyone's time here. While we appreciate the $100k discount, there still is no way we can afford $800k. We're not really even sure we need the decryption at this point. Can you give me a better number to take to the boss so we can weigh our options?
[Conti] — 5/4/2021, 11:35:41 PM — Message 10/45
You may refuse to pay this your choice. Then we'll release your hacking information. If this does not make you aware, we will publish some of your data for sale to interested parties. We took a step to meet. Now it's your turn. We're waiting for your best offer.
[Victim] — 5/5/2021, 12:34:48 AM — Message 11/45
Paying you seems like our quickest option to get our data back based on what we are reading compared to restoring. We spoke as a group and could pay you $150k if you promise you can unlock us quickly and you will delete our data and tell us what was taken. This offer only stands for tonight, and we arent going to go back and forth with you. How would we even make payment, do we wire you the money? This is our best and final offer.
[Conti] — 5/5/2021, 11:27:44 AM — Message 12/45
Offer of $150,000 to decline. Make the best offer.
[Victim] — 5/5/2021, 12:55:58 PM — Message 13/45
That was our best offer, but we will see if we can justify any higher expense. You wont take $150k but, $800k is way too much for us. We don't want to waste our time or yours. I'm sure you have a number which is the lowest you will accept. If you tell us what the lowest you will accept is, we can see if its something we can afford or if we are better off letting you have the stolen data and rebuilding. The bosses here have told me we need to make a decision today, we can't be negotiating forever, and I'm sure you don't want to be either. We think our 150K is more than reasonable and we were truthful with our highest offer, but if you come close, they owners here might accept.
[Conti] — 5/5/2021, 2:53:52 PM — Message 14/45
considering your desire to resolve the issue quickly ,the price is 500.000$.
Let's solve it fast.
[Victim] — 5/5/2021, 3:00:41 PM — Message 15/45
Logo.png.DATA.[redacted] [ 33kB ]
[Victim] — 5/5/2021, 3:00:50 PM — Message 16/45
SmallLogo.png.DATA.[redacted] [ 17kB ]
[Victim] — 5/5/2021, 3:00:53 PM — Message 17/45
Can you decrypt these files and send them back?
[Conti] — 5/5/2021, 3:13:07 PM — Message 18/45
Logo.png.DATA [ 32kB ]
[Conti] — 5/5/2021, 3:14:03 PM — Message 19/45
SmallLogo.png.DATA [ 16kB ]
[Victim] — 5/5/2021, 8:00:46 PM — Message 20/45
desktop.ini.[redacted] [ 1kB ]
[Victim] — 5/5/2021, 8:01:07 PM — Message 21/45
We want to come to an agreement but 500k is so much more we can afford. The owner wants me to start on recovery from the backups but it will take a few days and we will be down. He told me we could pay 250k if you agree today and tell us how to pay. If we pay does the unlock go quick? We also found some additional files that are different. Can you prove you can unlock these too?
[Victim] — 5/5/2021, 8:01:25 PM — Message 22/45
vmxnet[redacted].inf.[redacted] [ 34kB ]
[Conti] — 5/5/2021, 8:20:07 PM — Message 23/45
Offer of $250,000 to decline.
[Victim] — 5/5/2021, 10:10:13 PM — Message 24/45
The owner is asking me how quick we can be back up and running if we pay and how does payment actually work? If we agree to terms he would like to have this done ASAP so we can put this behind us. So we can stop going back and forth what is the best price you can take?
[Conti] — 5/6/2021, 7:16:41 AM — Message 25/45
desktop.ini [ 1kB ]
[Conti] — 5/6/2021, 7:16:47 AM — Message 26/45
vmxnet[redacted].inf [ 33kB ]
[Conti] — 5/6/2021, 7:34:50 AM — Message 27/45
You can back up really fast, depends of the size of your network. You should buy bitcoins for 500k, and send them to address which will give you.
[Victim] — 5/6/2021, 9:45:56 AM — Message 28/45
Okay, we would prefer to decrypt rather than going through a rebuild, but for 500K we can't do it. We see the proof and know you can decrypt. If you accept $325K, you have a deal, and we can pay you today. We hope that makes sense for both of us. We found a company that we can wire money to and they can send you Bitcoins. Let us know if we should prep the $325K. For this, we need the decryption program, we need to know what you have taken, and we need some sort of proof or promise of deletion of our stolen data.
[Victim] — 5/6/2021, 10:24:48 AM — Message 29/45
We also need to know your Bitcoin address.
[Conti] — 5/6/2021, 12:34:37 PM — Message 30/45
If you delay the negotiations, on Monday we will release information about the fact of hacking your network. Further, if you do not understand this, we will publish part of the data to find a buyer for them.
We went to your meeting, gave you a good discount. You started pulling time and making us brains. We don't like it. Measures will follow to sober you up. Think three times before you start playing script games with us.
[Conti] — 5/6/2021, 12:36:41 PM — Message 31/45
We'll go to your meeting. Price $450,000 That's the minimum and that's for sure.
[Conti] — 5/6/2021, 12:38:11 PM — Message 32/45
$450,000 and we agree.
Wallet:
[redacted]
[Victim] — 5/6/2021, 1:25:25 PM — Message 33/45
Ok. We will work on payment now.
[Conti] — 5/6/2021, 1:38:50 PM — Message 34/45
Okay, we're waiting.
[Victim] — 5/6/2021, 8:07:54 PM — Message 35/45
Payment has been been completed. Please send decryption tool as soon as possible.
[REDACTED URL]
[Conti] — 5/6/2021, 9:35:17 PM — Message 36/45
Status:Confirmed
[Conti] — 5/6/2021, 9:35:32 PM — Message 37/45
Expect you to get everything soon.
[Conti] — 5/6/2021, 10:29:33 PM — Message 38/45
Everything will be given to you tomorrow. The technician is now absent.
[Conti] — 5/6/2021, 10:47:19 PM — Message 39/45
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 5/6/2021, 10:47:45 PM — Message 40/45
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Conti] — 5/7/2021, 9:20:42 PM — Message 41/45
Wait. Your date is still to be deleted.
[Conti] — 5/8/2021, 7:27:37 PM — Message 42/45
[redacted]_tree.txt.7z [ 842kB ]
[Conti] — 5/8/2021, 7:28:04 PM — Message 43/45
Wait. Your date is still to be deleted.
[Conti] — 5/11/2021, 3:30:47 PM — Message 44/45
SHRED_[redacted].txt.7z [ 7.6MB ]
[Conti] — 5/11/2021, 3:44:14 PM — Message 45/45
Your deletion log. Please contact us if you have any questions.