// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 78 messages exchanged over Unknown.
The initial ransom demand was $200.00. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 5/13/2021, 1:44:20 PM — Message 1/78
readme.txt [ 1kB ]
[Victim] — 5/13/2021, 1:44:40 PM — Message 2/78
Waiting for instructions
[Conti] — 5/13/2021, 1:46:02 PM — Message 3/78
Welcome! [redacted]
[Conti] — 5/13/2021, 1:48:11 PM — Message 4/78
You need pay for decrypt your files. Your price is 200.000$
[Conti] — 5/13/2021, 1:48:27 PM — Message 5/78
Your network was hacked, workstations encrypted and we downloaded many private information from your servers. Note that we have also downloaded a lot of data from your network that in case of not making payment will be published on our website.
If you will spend 3 days in silence we will start publushing the information.
[Conti] — 5/13/2021, 1:48:56 PM — Message 6/78
Your price for non-recoverable deletion of all the leaked information, and decpryptor for your network is $200.000
[Victim] — 5/17/2021, 1:00:32 AM — Message 7/78
Sorry for the delay, we've been having a lot of internal meetings and want to work with you.
[Conti] — 5/17/2021, 11:24:20 AM — Message 8/78
We understand your problems. But we also see your turnover and the amount of information we downloaded from your network. Your losses, if the information reaches the public, will be tens of times more than we asked.
make your offer, you haven't given a single digit yet.
[Victim] — 5/17/2021, 2:45:15 PM — Message 9/78
Okay; as part of our conversations last night I was told to ask about getting a sample of data you might have taken
[Conti] — 5/17/2021, 8:32:51 PM — Message 10/78
We have your accounting, legal documents, finance, contracts and personal correspondence, DB, that's all I can say. It's about 50 Gigabate. You will receive a complete list of files after payment as well as a log of their removal from our server.
[Conti] — 5/17/2021, 8:33:17 PM — Message 11/78
[redacted]_proof.7z [ 3.1MB ]
[Conti] — 5/17/2021, 8:33:41 PM — Message 12/78
Proof Pack. Pass: 123123
[Conti] — 5/17/2021, 8:34:23 PM — Message 13/78
We will also try to find a buyer for your data and access to your network if you refuse to pay.
[Victim] — 5/17/2021, 11:17:40 PM — Message 14/78
Thank you; I will let my boss know. We want to work with you.
[Victim] — 5/18/2021, 1:49:16 AM — Message 15/78
We've been having some internal meetings and discussions and would like to make an offer of $22k
[Victim] — 5/18/2021, 3:58:34 PM — Message 16/78
Just wanted to follow up on this.
[Conti] — 5/18/2021, 4:12:29 PM — Message 17/78
Your offer has been rejected. Make a more reasonable offer based on our offer.
[Victim] — 5/18/2021, 6:29:00 PM — Message 18/78
I've went back to my boss and management, they understand the importance. We would like to extend an updated offer to $45K USD
[Conti] — 5/18/2021, 8:13:32 PM — Message 19/78
Well, we see constructive dialogue and make a discount. Your new price is $170,000.
[Victim] — 5/18/2021, 9:17:28 PM — Message 20/78
Let me check with my boss to what more we can offer, as that's still a lot of money for us.
[Victim] — 5/18/2021, 11:54:11 PM — Message 21/78
Just spoke with my boss and management was able to come up with some additional funds to make an offer of $62k
[Victim] — 5/19/2021, 1:52:10 AM — Message 22/78
Following up on the offer of $62k
[Conti] — 5/19/2021, 8:16:02 AM — Message 23/78
Well, we see constructive dialogue and make a discount. Your new price is $138,000.
[Victim] — 5/19/2021, 12:35:37 PM — Message 24/78
Let me talk to my boss, I will get back to you later this morning.
[Conti] — 5/19/2021, 12:36:24 PM — Message 25/78
Well, we are waiting, do not delay, this will entail negative consequences of publication.
[Victim] — 5/19/2021, 3:28:13 PM — Message 26/78
I was told to ask, if you can provide proof of decryption. Do I just upload a couple documents?
[Victim] — 5/19/2021, 3:32:49 PM — Message 27/78
[redacted].pdf.[redacted] [ 529kB ]
[Victim] — 5/19/2021, 3:33:54 PM — Message 28/78
Inventory Report [redacted].htm.xlsx.[redacted] [ 13kB ]
[Victim] — 5/19/2021, 3:34:00 PM — Message 29/78
[redacted] reimbursement Spreadsheet 7-29-2019.xlsx.[redacted] [ 11kB ]
[Victim] — 5/19/2021, 4:55:17 PM — Message 30/78
Hello?
[Victim] — 5/19/2021, 7:54:45 PM — Message 31/78
Have you gotten my messages?
[Conti] — 5/19/2021, 9:58:00 PM — Message 32/78
Wait.
[Conti] — 5/19/2021, 10:04:28 PM — Message 33/78
[redacted] reimbursement Spreadsheet 7-29-2019.xlsx [ 11kB ]
[Conti] — 5/19/2021, 10:04:36 PM — Message 34/78
Inventory Report [redacted].htm.xlsx [ 12kB ]
[Conti] — 5/19/2021, 10:04:48 PM — Message 35/78
[redacted].pdf [ 528kB ]
[Victim] — 5/19/2021, 10:05:13 PM — Message 36/78
Thank you; I'll let my bossy know
[Conti] — 5/19/2021, 10:05:44 PM — Message 37/78
Well, we are waiting, do not delay, this will entail negative consequences of publication.
[Victim] — 5/19/2021, 10:05:56 PM — Message 38/78
Should have a response here shortly, I know we have been discussing internally and trying to come up with some additional funds.
[Victim] — 5/19/2021, 10:09:39 PM — Message 39/78
We would like to make an additional offer; $74k
[Victim] — 5/19/2021, 11:27:51 PM — Message 40/78
Just wanted to follow up on the new offer of $74K
[Victim] — 5/20/2021, 12:35:45 AM — Message 41/78
?
[Victim] — 5/20/2021, 1:13:13 AM — Message 42/78
Also, what would be the BTC Wallet for payment?
[Victim] — 5/20/2021, 9:38:47 AM — Message 43/78
Also, would we be able to get access to the data you have taken? Or something else like a file Tree?
[Conti] — 5/20/2021, 10:29:48 AM — Message 44/78
Your price for file tree & non-recoverable deletion of all the leaked information, and decpryptor for your network is $100.000. And we agree. We will not be able to make less than this proposal. Think about it.
[Conti] — 5/20/2021, 10:30:36 AM — Message 45/78
BTC Wallet: [redacted]
[Victim] — 5/20/2021, 10:51:45 AM — Message 46/78
If we can get payment over today, when should we expect the decryption key? I know comms have been rather slow.
[Conti] — 5/20/2021, 11:08:21 AM — Message 47/78
You'll get everything within 24 hours. after payment.
[Conti] — 5/20/2021, 11:09:27 AM — Message 48/78
We'll try to give it all out quickly.
[Victim] — 5/20/2021, 11:17:18 AM — Message 49/78
Is there a leak site we can check that you guys would publish to?
[Conti] — 5/20/2021, 11:20:31 AM — Message 50/78
[REDACTED URL]
[Victim] — 5/20/2021, 11:22:33 AM — Message 51/78
Thank you;
[Victim] — 5/20/2021, 12:27:41 PM — Message 52/78
Just got confirmation from my boss, we are working to make the $100k payment.
[Conti] — 5/20/2021, 4:10:34 PM — Message 53/78
Okay, we're waiting.
[Victim] — 5/20/2021, 6:44:09 PM — Message 54/78
This is still the BTC Wallet Correct: [redacted]
[Conti] — 5/20/2021, 6:49:49 PM — Message 55/78
BTC Wallet: [redacted]
[Victim] — 5/21/2021, 12:18:25 AM — Message 56/78
Confirmation #: [redacted]
[Victim] — 5/21/2021, 10:57:35 AM — Message 57/78
Can you confirm payment? When should we expect the decryption key?
[Conti] — 5/21/2021, 11:45:56 AM — Message 58/78
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 5/21/2021, 11:46:42 AM — Message 59/78
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Conti] — 5/21/2021, 6:58:07 PM — Message 60/78
The file tree and deletion log are expected to be checked out within 24 hours.
[Victim] — 5/21/2021, 9:41:26 PM — Message 61/78
Thank you
[Conti] — 5/22/2021, 1:12:01 AM — Message 62/78
Wait
[Victim] — 5/23/2021, 1:21:26 AM — Message 63/78
We have files that won't decrypt on several systems. I'm providing a few of those samples if you can update the decryption tool.
[Victim] — 5/23/2021, 1:21:32 AM — Message 64/78
[redacted]_.GIF.[redacted] [ 5kB ]
[Victim] — 5/23/2021, 1:22:16 AM — Message 65/78
[redacted].cab.[redacted] [ 8.6MB ]
[Victim] — 5/23/2021, 1:22:25 AM — Message 66/78
[redacted]_.WMF.[redacted] [ 6kB ]
[Victim] — 5/24/2021, 2:35:35 PM — Message 67/78
How long till we can get an updated decryption tool and file-tree & deletion of file-tree
[Conti] — 5/24/2021, 7:05:57 PM — Message 68/78
This 3 files are decrypted, just remove .[redacted] extension
[Victim] — 5/24/2021, 8:05:36 PM — Message 69/78
Your decryption tool left the extension to thousands, how do we go about removing the extension to thousands of files without potentially corrupting files that might still need to be decrypted.
[Conti] — 5/24/2021, 8:24:15 PM — Message 70/78
Try to run the decryptor again
[Victim] — 5/25/2021, 1:31:04 PM — Message 71/78
We did 3-4 times
[Victim] — 5/25/2021, 7:51:14 PM — Message 72/78
Any news on the updated decryption tool and file deletion?
[Conti] — 5/25/2021, 9:13:18 PM — Message 73/78
[redacted]_tree.zip [ 76kB ]
[Conti] — 5/25/2021, 9:13:24 PM — Message 74/78
SHRED_[redacted].zip [ 739kB ]
[Conti] — 5/25/2021, 9:13:33 PM — Message 75/78
file list and delete log
[Victim] — 5/26/2021, 12:32:09 AM — Message 76/78
Thank you; what about an updated decryption tool
[Victim] — 5/27/2021, 8:23:28 PM — Message 77/78
Really need that updated decryption tool. I've got thousands of files that I can't use and If I self remove thousands of extensions I fear that the files will be corrupted. You promised a working decryption key.
[Victim] — 5/28/2021, 8:39:31 PM — Message 78/78
I'm reaching out to the bigger Conti group.