// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 63 messages exchanged over Unknown.
The initial ransom demand was $920,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 3/16/2021, 12:17:32 AM — Message 1/63
Okay, what comes next?
[Conti] — 3/16/2021, 8:03:37 AM — Message 2/63
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website.
The recovery price is $920000 (17 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner to avoid additional expenses from your side on security software and on building the new network from scratch.
The example data pack will be provided tomorrow, which will include part of the file list and some actual data you can review.
[Conti] — 3/16/2021, 8:42:44 AM — Message 3/63
[redacted]-30percentlisting.txt [ 7.4MB ]
[Conti] — 3/16/2021, 8:44:34 AM — Message 4/63
[redacted]-datapack-example.zip [ 32.4MB ]
[Victim] — 3/16/2021, 5:22:27 PM — Message 5/63
Can you allow us a few days to read through these? We have our hands full with our servers down and trying to look over the documents
[Conti] — 3/16/2021, 5:40:34 PM — Message 6/63
Yes, you have time till the end of the week. Bit if you would like to receive a 25% discount it will be valid for only two business days.
[Victim] — 3/16/2021, 10:09:35 PM — Message 7/63
Ok i understand. I will get back to you as soon as possible
[Victim] — 3/18/2021, 8:18:54 PM — Message 8/63
I will come to this chat tomorrow with a decision. The final management meeting is this afternoon
[Conti] — 3/18/2021, 8:23:16 PM — Message 9/63
Ok, we will be waiting for your reply tomorrow.
[Victim] — 3/19/2021, 5:31:10 PM — Message 10/63
Ok thank you for giving us time to work through our analysis. With the end of the quarter closing in, our balances allow us to offer $110,000 to you for the deal. Please please take this offer to your side and ask if it is possible to accept. We will wait for your reply
[Conti] — 3/20/2021, 7:58:50 AM — Message 11/63
Unfortunately we cannot accept this offer according to our internal rules, but we've discuss with the team and a ready to make a step forward by going down to $600k
[Victim] — 3/20/2021, 12:52:11 PM — Message 12/63
Ok, I will tell the team this, but it's the weekend so they won't be able to meet until Monday or Tuesday ok?
[Conti] — 3/20/2021, 1:12:26 PM — Message 13/63
Ok, just update me by Tuesday.
[Victim] — 3/20/2021, 1:24:04 PM — Message 14/63
Ok yes
[Victim] — 3/23/2021, 3:58:28 PM — Message 15/63
We are still in talks to see how we could pull authority to go higher but they are moving very very slowly. We have been able to get them to grant authority for a better offer of $145,000. Please tell me if it possible to accept this amount for us.
[Conti] — 3/24/2021, 9:37:54 AM — Message 16/63
That is totally impossible. We have discussed internally and the lowest we can get is $350k. I am not authorized to accept any lower payment.
[Victim] — 3/24/2021, 9:24:14 PM — Message 17/63
I submitted this to my superiors. I know they want to finish this up as soon as possible, but $350k may still be out of reach. I will check in with you when I hear back.
[Victim] — 3/25/2021, 9:24:35 PM — Message 18/63
I will get back to you tomorrow with an update. Expenditures over a certain amount have to be approved by executive leadership and we are trying to keep this under that amount so we dont have to go through their approval.
[Conti] — 3/25/2021, 9:38:14 PM — Message 19/63
ok. we will wait
[Victim] — 3/26/2021, 3:51:30 PM — Message 20/63
Ok. By relocating some of our budget funds, we are able to move our offer higher to $162,000. I know this is lower than you are authorized to accept, but please let me know if your group can make an exception.
[Conti] — 3/26/2021, 4:17:55 PM — Message 21/63
As I have already told, try to allocate $350k
I cannot move any forward unfortunately
[Victim] — 3/26/2021, 5:36:18 PM — Message 22/63
We'll need to find another way, because we cannot risk getting this delayed in the leadership approval process. Otherwise it will take weeks. I will have to look into outside sources for donations.
[Conti] — 3/27/2021, 7:00:01 AM — Message 23/63
Ok. Keep us updated.
[Victim] — 3/27/2021, 12:26:41 PM — Message 24/63
Please if you have a smaller amount from $350k this will help speed up the process greatly. I know you can't accept $162k, but it's going to be an uphill battle for us to try to double that amount for you. Please let me know
[Victim] — 3/28/2021, 1:09:05 PM — Message 25/63
Can you please let me know if there is anything you could do. It is going to be challenging battle for us to come up with double the amount from what we have available ($162,000). We want to be able to reach an agreement with you but our executive leadership team is not approving $350,000. Please let me know if you can come down anymore.
[Conti] — 3/29/2021, 7:17:40 AM — Message 26/63
Let's meet in between at the sum of $255k and get this over with. We want to close the deal asap, so the offer is exclusive and valid for only 2 business days.
[Victim] — 3/29/2021, 5:17:50 PM — Message 27/63
We have our weekly monday meeting this afternoon and I will tell them about the amount and the deadline. I also wish to get this over with.
[Conti] — 3/29/2021, 7:24:31 PM — Message 28/63
Ok, get back to me when the meeting is over.
[Victim] — 3/30/2021, 7:42:23 PM — Message 29/63
We are able to go up to $172,000. We are too close to the limit at which point we will have to halt and go through the top leadership approval process, which has a high risk of rejection. We do not want to risk them turning us away.
[Conti] — 3/30/2021, 8:47:19 PM — Message 30/63
We agree to accept.
The btc wallet for the payment is : [redacted]
let me know as soon as the transfer is made.
[Victim] — 3/31/2021, 5:24:45 PM — Message 31/63
Thank you. I will notify the cfo's office and instruct them to arrange it
[Victim] — 4/1/2021, 11:11:22 PM — Message 32/63
I'm sorry for the delay on this. They've asked me to come in for a meeting in the morning to confirm the arrangement of payment. I will check in with you after
[Conti] — 4/2/2021, 9:42:34 AM — Message 33/63
It's been a while, let me know when the meeting is over.
[Victim] — 4/2/2021, 9:44:05 PM — Message 34/63
Thanks for waiting. I guess the executives read some concerning news reports this week that companies who are hit with ransom are getting published anyway even if they try to pay. It scared them. I will make sure it gets done on Monday after they calm down
[Conti] — 4/3/2021, 8:54:37 AM — Message 35/63
We would never do such a thing that will hurt our reputation. The executives shouldn't be worried while dealing with our particular group.
[Victim] — 4/5/2021, 8:45:14 PM — Message 36/63
I have been in meetings all day. Our leadership has seen more news reports over the weekend that the conti group is publishing people who are offering to pay and they are uncomfortable about this. You said you never do that, but that is not what we read in the news
[Conti] — 4/6/2021, 11:52:50 AM — Message 37/63
I haven't seen these news actually and not sure what it is about.
[Conti] — 4/6/2021, 11:53:09 AM — Message 38/63
We do publish people who do not pay for sure.
[Victim] — 4/6/2021, 2:03:38 PM — Message 39/63
It says the company offered conti 500k for payment and they got published instead, even though they wanted to pay
[Victim] — 4/6/2021, 2:04:09 PM — Message 40/63
[REDACTED URL]
[Victim] — 4/6/2021, 2:04:30 PM — Message 41/63
[REDACTED URL]
[Conti] — 4/6/2021, 2:05:56 PM — Message 42/63
We haven't reached the agreement on the price. That's the only thing why they were published. We already have such an agreement with you - so that is not an issue.
[Victim] — 4/6/2021, 4:02:49 PM — Message 43/63
Ok. This wallet still ok? [redacted]
[Conti] — 4/6/2021, 4:06:58 PM — Message 44/63
Yes.
[Victim] — 4/6/2021, 7:57:54 PM — Message 45/63
We are about ready. Are you online?
[Victim] — 4/6/2021, 8:04:20 PM — Message 46/63
Before we continue, please confirm you will send: 1) decryptor for all systems 2) list of our files 3) tell us how you accessed our network 4) proof our files are destroyed and promise they will never be published
[Conti] — 4/6/2021, 8:06:31 PM — Message 47/63
I do confirm each of those four.
By the way, according to our talk I might assume we've dealt before previously, am I right?
[Victim] — 4/6/2021, 8:08:39 PM — Message 48/63
We have been talking in here for a while if that is what you mean. Are you ready for us to send?
[Conti] — 4/6/2021, 8:11:31 PM — Message 49/63
Yes, we are ready to accept the payment.
And no, I meant your recovery company. Nevermind though, I might be mistaken.
[Victim] — 4/6/2021, 8:52:45 PM — Message 50/63
The payment is done
[Conti] — 4/6/2021, 8:54:49 PM — Message 51/63
I have already processed the request to the tech dept to provide the decryption tool the soonest possible.
[Victim] — 4/6/2021, 8:55:22 PM — Message 52/63
What is approximate time to receive?
[Conti] — 4/6/2021, 8:58:11 PM — Message 53/63
[redacted]-full-listing.txt [ 24.7MB ]
[Conti] — 4/6/2021, 9:01:58 PM — Message 54/63
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 4/6/2021, 9:02:52 PM — Message 55/63
Please review the full listing and let us know when we can start shredding your data to provide the deletion log.
[Victim] — 4/6/2021, 9:03:22 PM — Message 56/63
Ok thanks. I will let you know when its time
[Conti] — 4/6/2021, 9:03:41 PM — Message 57/63
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Victim] — 4/9/2021, 8:18:09 PM — Message 58/63
Please keep our chat open while we work on decryption in case we have questions. It is still running
[Conti] — 4/9/2021, 8:23:55 PM — Message 59/63
Sure, let me know when you're over and we will delete the chat.
[Victim] — 4/19/2021, 8:55:03 PM — Message 60/63
Thanks for waiting. Please proceed with file shredding and send me the delete log when it is ready
[Victim] — 4/21/2021, 3:16:00 PM — Message 61/63
Did you get my message
[Conti] — 4/21/2021, 4:21:30 PM — Message 62/63
[redacted]-removed.log [ 18.8MB ]
[Conti] — 4/22/2021, 12:36:19 PM — Message 63/63
Shall we delete this chat now?