// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 49 messages exchanged over Unknown.
The initial ransom demand was $1.1M. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 3/15/2021, 4:54:28 PM — Message 1/49
Hello - We are here to discuss the situation as a smaller company we are trying to understand what you are asking in this case to get us our files back?
[Conti] — 3/15/2021, 5:02:49 PM — Message 2/49
hello
please wait answer
[Conti] — 3/15/2021, 5:14:44 PM — Message 3/49
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website [REDACTED URL]
The recovery price is $1100000 (20 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner to avoid additional expenses from your side on security software and on building the new network from scratch.
The example data pack will be provided, which will include part of the file list and some actual data you can review.
[Conti] — 3/15/2021, 5:16:17 PM — Message 4/49
The total amount of data downloaded from your network is 835 GB.
The 30% of the whole file listing is attached. You can choose any 2 files from the list and we will upload them as a proof.
[Conti] — 3/15/2021, 5:16:59 PM — Message 5/49
30percentlisting.txt [ 5.9MB ]
[Victim] — 3/16/2021, 5:16:39 PM — Message 6/49
[redacted]_ENCRYPTED.zip [ 675kB ]
[Victim] — 3/16/2021, 5:16:50 PM — Message 7/49
[redacted]-Finances.zip [ 211kB ]
[Victim] — 3/16/2021, 5:16:58 PM — Message 8/49
[redacted]-Dev.zip [ 128kB ]
[Victim] — 3/16/2021, 5:17:02 PM — Message 9/49
can you demonstrate decryption?
[Conti] — 3/16/2021, 5:39:25 PM — Message 10/49
[redacted]_ENCRYPTED.zip [ 651kB ]
[Conti] — 3/16/2021, 5:39:58 PM — Message 11/49
Of course.
[Victim] — 3/17/2021, 2:27:57 PM — Message 12/49
appreciated.
[Victim] — 3/17/2021, 2:28:14 PM — Message 13/49
could you give us these files:
~$Budget 2020-2021 COVID19-2 [redacted]-HSBC v1.1 FINAL FINAL.xlsx [165 Bytes]
~$[redacted] 2021-2022.xlsx [165 Bytes]
~$[redacted] 21-01-2021.xlsx [165 Bytes]
[Conti] — 3/17/2021, 4:51:38 PM — Message 14/49
Yes. Wlll upload soon.
[Conti] — 3/17/2021, 5:35:48 PM — Message 15/49
[REDACTED URL]
[redacted]
[REDACTED URL]
[Victim] — 3/17/2021, 5:50:08 PM — Message 16/49
appreciate. We will download and review.
[Victim] — 3/18/2021, 1:56:59 PM — Message 17/49
We understand you are asking for 1.1Mil. This is not an amount we can consider as it is more than our annual revenue. You will find if you search us, that we went bankrupt 2 years ago and have been on the losing side since. We would like to discuss how to proceed, but we do not know where to start with this amount.
[Conti] — 3/18/2021, 4:32:53 PM — Message 18/49
We can provide you with 25% discount as a step forward.
[Victim] — 3/19/2021, 2:00:25 PM — Message 19/49
Hi - We are trying to see what we can do but meanwhile can you send me any files from: 1. E:\mssql\data folder on a server called [redacted]-db? log files or something like that. Also on a server called [redacted] can you get me a file from c:\users\[redacted]\documents\[redacted]\exports please? thank you.
[Conti] — 3/20/2021, 8:01:14 AM — Message 20/49
We are looking for those files. Will upload soon.
[Conti] — 3/20/2021, 1:14:04 PM — Message 21/49
We can't find the files you requested by path. We need the exact file names to look for.
[Victim] — 3/20/2021, 6:56:09 PM — Message 22/49
can you find a table in a database if we give you the table name?
[Conti] — 3/21/2021, 12:23:34 PM — Message 23/49
Well, yes, I suppose. But please specify the database name too.
[Victim] — 3/21/2021, 12:37:01 PM — Message 24/49
can you see if you have these files: A) [redacted] server - "TransfertsWeb7DerniersJours_20201220" and "TransfertsWeb7DerniersJours_20201213"; and B) vRaym-DB - "templog.ldf"
[Conti] — 3/22/2021, 12:16:37 PM — Message 25/49
Yes. We have them. Although we have already provided two files of your choice that you have requested I can provide only parts of those files as a confirmation.
StoreName_FromSomme de TotalQtySomme de TotalRetail
[redacted]54717956.87
StoreName_FromSomme de TotalQtySomme de TotalRetail
[redacted]862923.85
[Conti] — 3/22/2021, 8:20:02 PM — Message 26/49
We have provided everything you asked by now. Now we are waiting for your decision. It's been a week already and we are almost past the deadline to we need your decision by tomorrow.
[Victim] — 3/22/2021, 10:16:28 PM — Message 27/49
You have provided everything we asked.
[Victim] — 3/22/2021, 10:16:59 PM — Message 28/49
It is appreciated. It is also used to build some trust in a situation like this.
[Victim] — 3/22/2021, 10:17:32 PM — Message 29/49
We also used the time to see what we can raise in funds because even 800k is not an amount anything will give us.
[Victim] — 3/22/2021, 10:18:11 PM — Message 30/49
I will respond tomorrow we are trying one other thing and then I will be able to say if and what we can offer.
[Conti] — 3/23/2021, 5:58:47 AM — Message 31/49
Ok, we are waiting for the news by tomorrow.
[Victim] — 3/23/2021, 2:10:38 PM — Message 32/49
Hi - we reviewed all the files. The data is not worth much. We are recovered so we do not need decryptors. We cannot pay what you are asking. We are on the verge of insolvency and this certainly does not help. I can pay you 50K to make this go away if you promise and provide assurance that you deleted all the data. This is as much as I am able to do without triggering law enforcement and the banks after me.
[Conti] — 3/23/2021, 2:29:25 PM — Message 33/49
50K is totally impossible. As you can find our from the open sources our "average" is more than a mil. Although we are ready to make a step forward towards you and go down to $450k (if the decryptor is not required, only for the data deletion). My team will not let me go even a dollar lower than $450k.
[Victim] — 3/24/2021, 12:43:40 AM — Message 34/49
We cannot do that, we do not have that kind of funds available to give. I guess we cannot proceed because I cannot give you what you want and I do not have.
[Conti] — 3/24/2021, 9:29:51 AM — Message 35/49
Understandable. Too bad though. We will start auctioning your data to your competitors within next 48 hours.
[Victim] — 3/24/2021, 12:10:28 PM — Message 36/49
Let me know who is interested in buying this information, might be a potential buyer :) Like I said the price is far too high that I cannot budge more than +10k. Of course if you decide to access I promise not to tell the media that the amount but sounds like we are not even in the ball-park.
[Conti] — 3/24/2021, 5:34:22 PM — Message 37/49
That's just impossible in our enterprise.
[Conti] — 3/24/2021, 5:40:58 PM — Message 38/49
Let me discuss with the team to reevaluate your abilities and I will get back to you.
[Conti] — 3/24/2021, 8:15:20 PM — Message 39/49
Well. Ok, we can make it 100k and finish this one on a private terms from both sides.
[Victim] — 3/25/2021, 5:50:25 PM — Message 40/49
Hi - Ok, all agreed; 100k. Please send wallet
[Victim] — 3/26/2021, 1:51:38 PM — Message 41/49
Hello - OK, we confirm 100k to resolve this.
We have a bitcoin broker ready to do transfer today.
Please confirm on payment you will provide:
1. complete file tree of the data downloaded from our network and a deletion log of all of the data,
2. confirmation that you deleted and will never publish any of our data, including our chat, now or in the future, and
3. a security report on how we got hacked, and how we can prevent future problems
Please confirm 1 to 3 and send us the bitcoin wallet address.
[Conti] — 3/26/2021, 4:20:06 PM — Message 42/49
All of those is confirmed
The wallet is : [redacted]
[Victim] — 3/26/2021, 6:34:18 PM — Message 43/49
OK standby
[Victim] — 3/26/2021, 7:53:03 PM — Message 44/49
OK, the broker sent $100K / 1.8650 bitcoins. Please confirm receipt and provide to us the deal items as soon as possible, thank you.
[Conti] — 3/27/2021, 6:57:03 AM — Message 45/49
The payment is received. We will provide the decryption tool the soonest possible.
[Conti] — 3/27/2021, 10:41:54 AM — Message 46/49
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 3/27/2021, 10:42:16 AM — Message 47/49
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Victim] — 3/27/2021, 4:18:40 PM — Message 48/49
OK - thanks. Regarding our data and files, can you please provide the full 100% file-tree list and proof of shred/deletion. Also, the security report of what happen so we can improve our network. thank you.
[Conti] — 3/29/2021, 7:18:54 AM — Message 49/49
Yes, we will keep you updated on this one.