// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 56 messages exchanged over Unknown.
The initial ransom demand was $357.15. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 5/17/2021, 11:30:31 PM — Message 1/56
The note said to contact you here, what do we do next?
[Conti] — 5/18/2021, 9:26:03 AM — Message 2/56
Welcome! We are ready to help you.
[Victim] — 5/18/2021, 2:13:45 PM — Message 3/56
our network is locked
[Victim] — 5/18/2021, 2:17:49 PM — Message 4/56
we need your help
[Conti] — 5/18/2021, 4:10:08 PM — Message 5/56
Give us some time, and we will definitely help you. Expect instructions please.
[Conti] — 5/18/2021, 4:36:15 PM — Message 6/56
Welcome! [redacted]
[Conti] — 5/18/2021, 4:36:40 PM — Message 7/56
You need pay for decrypt your files. Your price is 400.000$
[Conti] — 5/18/2021, 4:49:42 PM — Message 8/56
You need to pay this amount and we will give you decryptor for all your network, file tree on what we have downloaded from your network and wiping log of that information.
[Conti] — 5/18/2021, 4:50:31 PM — Message 9/56
We will also try to find a buyer for your data and access to your network if you refuse to pay.
[Victim] — 5/18/2021, 8:13:52 PM — Message 10/56
we do not have that much money, we are still recovering due to covid.
[Conti] — 5/18/2021, 8:17:00 PM — Message 11/56
Make a reasonable offer based on our offer.
[Victim] — 5/18/2021, 8:35:55 PM — Message 12/56
we dont have that much money, help us out, we are in a bad place
[Victim] — 5/19/2021, 3:50:51 AM — Message 13/56
my boss just told me that we can give you $42,850,
[Conti] — 5/19/2021, 8:01:59 AM — Message 14/56
Well, we see constructive dialogue and make a discount. Your new price is $357.150
[Victim] — 5/19/2021, 3:23:52 PM — Message 15/56
thats still too much for us, i will take it to my boss
[Conti] — 5/19/2021, 3:24:57 PM — Message 16/56
Make a reasonable offer based on our offer.
[Conti] — 5/19/2021, 3:25:46 PM — Message 17/56
Reputation is expensive.
[Victim] — 5/19/2021, 5:46:21 PM — Message 18/56
my boss wants proof of what you got, but we can come with 73,250 which is a large amount
[Conti] — 5/19/2021, 10:03:39 PM — Message 19/56
Well, we see constructive dialogue and make a discount. Your new price is $326.750
[Conti] — 5/19/2021, 10:04:23 PM — Message 20/56
We will send you 30% of the file tree, you will select any 3 pcs of non-sensitive information and we will provide them to you as evidence.
[Victim] — 5/19/2021, 10:58:27 PM — Message 21/56
send us the file tree and i can show it to my boss, with the new amount
[Conti] — 5/20/2021, 10:45:36 AM — Message 22/56
wait.
[Conti] — 5/20/2021, 10:48:30 AM — Message 23/56
30%_tree_[redacted].txt.7z [ 126kB ]
[Conti] — 5/20/2021, 10:48:41 AM — Message 24/56
Pass: 123123
[Victim] — 5/20/2021, 3:55:30 PM — Message 25/56
we want to get this done quickly and can offer $98,350.00
[Conti] — 5/20/2021, 4:08:06 PM — Message 26/56
Well, we see constructive dialogue and make a discount. Your new price is $301.650
[Victim] — 5/20/2021, 6:10:11 PM — Message 27/56
we don't have that much, but made some more cuts and can offer 137,500
[Conti] — 5/20/2021, 6:15:26 PM — Message 28/56
Well, we see constructive dialogue and make a discount. Your new price is $262.500
[Conti] — 5/20/2021, 6:15:36 PM — Message 29/56
We move to meet each other - this positively affects the likelihood of an agreement.
[Victim] — 5/20/2021, 10:01:19 PM — Message 30/56
laptop proposals.pdf.[redacted] [ 3.8MB ]
[Victim] — 5/20/2021, 10:01:30 PM — Message 31/56
Registry Fix.jpg.[redacted] [ 73kB ]
[Victim] — 5/20/2021, 10:01:36 PM — Message 32/56
we would like proof you can decrypt
[Conti] — 5/20/2021, 10:14:31 PM — Message 33/56
Wait.
[Conti] — 5/20/2021, 10:22:04 PM — Message 34/56
laptop proposals.pdf [ 3.8MB ]
[Conti] — 5/20/2021, 10:22:15 PM — Message 35/56
Registry Fix.jpg [ 72kB ]
[Victim] — 5/20/2021, 11:41:40 PM — Message 36/56
if you will accept $182,450 we can make the payment within 24 hours
[Conti] — 5/21/2021, 12:00:28 PM — Message 37/56
$200,000 and we agree. Think well, this is our minimum offer.
[Victim] — 5/21/2021, 3:36:08 PM — Message 38/56
We agree to the price for the decryptor, file tree, and proof of deletion. How do we finish this up?
[Victim] — 5/21/2021, 4:49:03 PM — Message 39/56
Also we can't get into our systems, will you give instructions on that also?
[Conti] — 5/21/2021, 6:39:13 PM — Message 40/56
BTC Wallet: [redacted]
[Conti] — 5/21/2021, 6:40:12 PM — Message 41/56
Once you pay, you'll get a file tree, deletion log, and a decryptor for all your computers.
[Victim] — 5/21/2021, 6:43:21 PM — Message 42/56
What about the machine we cant get into?
[Conti] — 5/21/2021, 6:52:37 PM — Message 43/56
What hostnames are the speech about?
[Victim] — 5/21/2021, 6:58:00 PM — Message 44/56
I will get a list from our IT leaders
[Conti] — 5/21/2021, 6:59:15 PM — Message 45/56
What's wrong with passwords from accounts? or what? Explain in more detail the problem is not very clear.
[Conti] — 5/21/2021, 6:59:56 PM — Message 46/56
Of course, we will help if it depends on us.
[Victim] — 5/21/2021, 7:12:12 PM — Message 47/56
We have made the payment, please let me know it went through
[Conti] — 5/21/2021, 7:36:10 PM — Message 48/56
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 5/21/2021, 7:37:07 PM — Message 49/56
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Conti] — 5/22/2021, 1:12:35 AM — Message 50/56
The file tree and deletion log are expected to be checked out within 24 hours.
[Victim] — 5/22/2021, 4:46:19 PM — Message 51/56
How does that work? Do you give us the data back? Sorry but we have never done this before.
[Conti] — 5/22/2021, 5:39:13 PM — Message 52/56
Wait for the file list and delete log. will receive within 48 hours. Instructions for working with the decryptor are written above. Get an IT specialist to help you recover.
[Victim] — 5/25/2021, 5:30:45 PM — Message 53/56
can we get our file list and delete log?
[Conti] — 5/25/2021, 9:11:35 PM — Message 54/56
[redacted]_tree.zip [ 433kB ]
[Conti] — 5/25/2021, 9:11:54 PM — Message 55/56
SHRED_[redacted].zip [ 4.4MB ]
[Conti] — 5/25/2021, 9:12:07 PM — Message 56/56
file list and delete log