// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 81 messages exchanged over Unknown.
The initial ransom demand was $1.7M. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 02/06/2021, 15:17:16 — Message 1/81
What do you want?
[Victim] — 02/06/2021, 15:19:29 — Message 2/81
Hello?
[Victim] — 02/06/2021, 15:22:24 — Message 3/81
readme.txt [ 1kB ]
[Conti] — 02/06/2021, 16:39:33 — Message 4/81
Hello, please wait answer
[Victim] — 02/06/2021, 16:43:25 — Message 5/81
ok
[Conti] — 02/06/2021, 16:46:55 — Message 6/81
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website.
The recovery price is $1700000 (45 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner to avoid additional expenses from your side on security software and on building the new network from scratch.
The example data pack will be provided soon, which will include part of the file tree list and some actual data you can review.
[Conti] — 02/06/2021, 19:42:25 — Message 7/81
30perclisting.zip [ 223kB ]
[Conti] — 02/06/2021, 19:43:06 — Message 8/81
You can choose any 2 files from the listing, we will discard them as proof that the files were really stolen
You can also send 2 files for a free decrypt
---
Upon conclusion of the agreement, our price includes
1) Universal decryptor for your network
2) Permanently delete all stolen information + logs of removing
3) Security advisories and report how we infiltrated your system
[Conti] — 02/06/2021, 19:52:47 — Message 9/81
datapack.7z [ 47.2MB ]
[Conti] — 03/06/2021, 20:29:32 — Message 10/81
Have you reviewed the documents and our offer?
[Conti] — 04/06/2021, 14:51:59 — Message 11/81
If we will not receive the response today we shall start transmitting your data to 3-rd parties step by step notifying your clients and employees about the breach and on how you guard their data.
[Victim] — 04/06/2021, 15:23:33 — Message 12/81
we have just pulled down the files for review.
[Victim] — 04/06/2021, 15:25:59 — Message 13/81
i will let you know when we are done.
[Victim] — 04/06/2021, 15:26:48 — Message 14/81
how do we know if you are able to recover our machines?
[Conti] — 04/06/2021, 15:27:25 — Message 15/81
You can provide two random low-value encrypted files and we will decrypt them as a proof and upload back
[Conti] — 04/06/2021, 15:28:02 — Message 16/81
It took you two days to download files from review? We are not that patient and you should be more operative otherwise we will consider you stalling
[Victim] — 04/06/2021, 15:51:55 — Message 17/81
will provide the files. No, it did not take us 2 days to download the files and review. we only logged back on this morning and saw that you sent them.
[Victim] — 04/06/2021, 15:52:40 — Message 18/81
[redacted] Office.doc.[redacted] [ 533kB ]
[Victim] — 04/06/2021, 15:52:50 — Message 19/81
[redacted].pdf.[redacted] [ 75kB ]
[Conti] — 04/06/2021, 15:53:14 — Message 20/81
Will upload the decrypted files asap.
[Conti] — 04/06/2021, 17:03:30 — Message 21/81
[redacted].pdf [ 74kB ]
[Conti] — 04/06/2021, 17:03:51 — Message 22/81
[redacted] Office.doc [ 533kB ]
[Victim] — 04/06/2021, 17:46:33 — Message 23/81
ok thank you
[Victim] — 04/06/2021, 21:50:59 — Message 24/81
we are currently still reviewing everything.
[Victim] — 04/06/2021, 21:52:18 — Message 25/81
additionally, my higher up are requesting additional proofs because you are asking 45btc which is quite a lot of money.
[Conti] — 04/06/2021, 22:09:21 — Message 26/81
What proof do you need?
We showed that we can decrypt files
Select any 2 files from the listing archive and we will discard them to you
[Conti] — 05/06/2021, 03:31:54 — Message 27/81
Having received the decryptor, you can start working in 2 hours
[Conti] — 05/06/2021, 03:32:46 — Message 28/81
Read about us on the Internet - we work honestly. It is much more profitable to conclude an agreement with us than to incur losses
[Victim] — 05/06/2021, 04:00:17 — Message 29/81
thats for that additional information. will pass this information along to my boss. I will also let you know the file names once they let me know.
[Victim] — 05/06/2021, 15:08:34 — Message 30/81
Still haven't heard anything yet. Will try to get an answer as soon as possible.
[Conti] — 05/06/2021, 15:23:01 — Message 31/81
Ok, keep me updated
[Victim] — 05/06/2021, 15:28:55 — Message 32/81
will do.
[Victim] — 06/06/2021, 17:01:44 — Message 33/81
haven't heard anything yet from my boss (most likely because it is the weekend). I should have more information tomorrow
[Victim] — 07/06/2021, 15:42:21 — Message 34/81
good morning. I have a meeting here shortly and should have those file names for proof of decryption
[Conti] — 07/06/2021, 15:55:10 — Message 35/81
hello
[Conti] — 07/06/2021, 15:56:02 — Message 36/81
what file names ? Are you talking about 100% listing?
[Victim] — 07/06/2021, 15:58:25 — Message 37/81
from the file listing you sent me earlier
[Conti] — 07/06/2021, 16:02:22 — Message 38/81
Proof of file decryption - you sent 2 files to us, we deciphered them and threw them off.
[Conti] — 07/06/2021, 16:03:21 — Message 39/81
File with the title "30perclisting.zip"
Here is a list of 20 - 30 percent stolen information from your network.
[Conti] — 07/06/2021, 16:05:27 — Message 40/81
When you conclude an agreement, you will receive a decryptor for your entire network and return the state of computers to their previous state in a few hours
[Victim] — 07/06/2021, 16:09:02 — Message 41/81
yes im sorry. I confused myself.
[Conti] — 08/06/2021, 09:59:41 — Message 42/81
any updates?
[Victim] — 08/06/2021, 15:29:23 — Message 43/81
yes sorry, sending the filenames over now.
[Conti] — 08/06/2021, 15:41:50 — Message 44/81
ok, waiting.
[Victim] — 08/06/2021, 16:03:04 — Message 45/81
ok finally received the list
[Victim] — 08/06/2021, 16:03:12 — Message 46/81
uploading the text file now
[Victim] — 08/06/2021, 16:03:35 — Message 47/81
FileRequest.txt [ 2kB ]
[Conti] — 08/06/2021, 16:05:01 — Message 48/81
Well, it's way more than 2 files, but we will provide.
[Victim] — 08/06/2021, 16:05:54 — Message 49/81
Sorry about that but definitely appreciated!
[Conti] — 08/06/2021, 22:00:10 — Message 50/81
2019_[redacted].xlsx [ 43kB ]
[Conti] — 08/06/2021, 22:00:28 — Message 51/81
2019_[redacted].xlsx [ 152kB ]
[Conti] — 08/06/2021, 22:00:32 — Message 52/81
Logo [redacted].pdf [ 87kB ]
[Conti] — 08/06/2021, 22:00:50 — Message 53/81
[redacted].pdf [ 69kB ]
[Conti] — 08/06/2021, 22:00:54 — Message 54/81
[redacted] - Employee agreement [redacted].docx [ 44kB ]
[Conti] — 08/06/2021, 22:00:59 — Message 55/81
[redacted] - Employee agreement [redacted].docx [ 46kB ]
[Conti] — 08/06/2021, 22:01:04 — Message 56/81
[redacted].PNG [ 83kB ]
[Conti] — 08/06/2021, 22:01:08 — Message 57/81
Agreement [redacted].docx [ 42kB ]
[Conti] — 08/06/2021, 22:01:11 — Message 58/81
2020 [redacted] (1).xlsx [ 21kB ]
[Conti] — 08/06/2021, 22:01:51 — Message 59/81
[redacted].pdf [ 5.4MB ]
[Victim] — 09/06/2021, 19:48:31 — Message 60/81
thank you, pulling those files down now
[Victim] — 10/06/2021, 22:33:54 — Message 61/81
just wanted to let you know, my boss and the higher ups are having meetings to discuss this. I will keep you updated, as much as i can.
[Conti] — 11/06/2021, 00:15:13 — Message 62/81
thanks
[Victim] — 13/06/2021, 14:26:20 — Message 63/81
definitely appreciate your patience. Haven't received work yet (most likely due to the weekend). Will keep you updated.
[Victim] — 16/06/2021, 17:56:06 — Message 64/81
do we have an agreement?
[Conti] — 16/06/2021, 18:02:14 — Message 65/81
We are still waiting, but not for too long.
[Victim] — 16/06/2021, 18:22:08 — Message 66/81
are you declining our offer?
[Conti] — 16/06/2021, 18:28:09 — Message 67/81
would you please repeat your offer, seems like your message didn't go through
[Victim] — 16/06/2021, 18:29:28 — Message 68/81
This message was send before - thats still out of our range($274,350). our offer $175k.
[Conti] — 16/06/2021, 18:30:16 — Message 69/81
I an confused, where have you sent your offer?
[Conti] — 16/06/2021, 18:30:34 — Message 70/81
I don't see any relevant message within this chat
[Victim] — 17/06/2021, 15:19:02 — Message 71/81
woah... I am just seeing those messages now. I did not send those messages
[Victim] — 17/06/2021, 15:21:07 — Message 72/81
are you in talks with other people? maybe the framework picked up cross talk?
[Conti] — 17/06/2021, 15:21:44 — Message 73/81
Perhaps one of your employees writes here
[Conti] — 17/06/2021, 15:23:47 — Message 74/81
Send your current offer now
[Conti] — 17/06/2021, 16:22:00 — Message 75/81
No, that's impossible, suppose some of your employees send the messages, maybe we should move to another chat making it private?
[Victim] — 17/06/2021, 18:19:20 — Message 76/81
i am working on getting that answer for you. yeah moving to a new chat might be best. how can we do that?
[Victim] — 17/06/2021, 20:41:17 — Message 77/81
i have an update from my boss/higher ups
[Conti] — 17/06/2021, 20:42:04 — Message 78/81
I will provide the new chat ID within an hour.
[Victim] — 17/06/2021, 20:42:19 — Message 79/81
ok thanks.
[Victim] — 18/06/2021, 16:56:18 — Message 80/81
Ok, i made it over to that chat and sent a msg.
[Conti] — 18/06/2021, 17:00:48 — Message 81/81
Ok, let's move there, should I block this chat forever?