// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 34 messages exchanged over Unknown.
The initial ransom demand was $1.2M. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Conti] — 28/06/2021, 18:01:05 — Message 1/34
Hello, are you ready to negotiate?
[Victim] — 03/07/2021, 13:32:04 — Message 2/34
Yes tell me how much I have to pay. We are ready to pay you for our data. I have some questions also. after payment will you provide support service? And where I have to pay?
[Conti] — 04/07/2021, 19:52:51 — Message 3/34
We will provide all the relevant information the soonest possible.
[Conti] — 05/07/2021, 15:10:30 — Message 4/34
Please provide your company name
[Conti] — 06/07/2021, 14:26:54 — Message 5/34
Let me know if you need the decryption tool. The price will be based on this fact.
[Victim] — 09/07/2021, 11:43:33 — Message 6/34
company name is [redacted] now help us fast please
[Victim] — 09/07/2021, 11:43:50 — Message 7/34
please keep the price low it's a request
[Conti] — 09/07/2021, 11:45:19 — Message 8/34
We will discuss and let you know within few minutes.
[Victim] — 09/07/2021, 11:45:42 — Message 9/34
okay please stay online
[Conti] — 09/07/2021, 11:47:37 — Message 10/34
Are you acting on behalf of [redacted] ?
[Conti] — 09/07/2021, 11:52:04 — Message 11/34
Please provide us two files for the test decryption.
[Victim] — 09/07/2021, 12:07:03 — Message 12/34
ok wait
[Victim] — 09/07/2021, 12:14:03 — Message 13/34
desktop.ini.[redacted] [ 708B ]
[Victim] — 09/07/2021, 12:14:09 — Message 14/34
ntuser.ini.[redacted] [ 554B ]
[Victim] — 09/07/2021, 12:14:58 — Message 15/34
now help us fast please with your price and address. One question after payment in how much time we will get the decryptor??
[Victim] — 09/07/2021, 12:55:28 — Message 16/34
Are you there?? We are waiting for your reply?? How long we have to wait for it?
[Conti] — 09/07/2021, 13:02:00 — Message 17/34
we will provide the decrypted copies soon. Right now we are trying to figure out what of your resources were attacked, cause for now as we can see this particular strain of Conti was used in [redacted] network, so I ask you again, are you talking to us on their behalf?
[Conti] — 09/07/2021, 13:02:20 — Message 18/34
As soon as the payment is made the decryption tool will be provided within 20-30 minutes.
[Victim] — 09/07/2021, 13:03:20 — Message 19/34
Yes we are talking on behalf of them
[Conti] — 09/07/2021, 13:03:52 — Message 20/34
Do you need the list of the data that was taken from their network?
[Conti] — 09/07/2021, 13:04:49 — Message 21/34
The price for the decryption tool and the data for lounsburys.com is $1.25mil
[Victim] — 09/07/2021, 13:05:01 — Message 22/34
if you can provide it will be good
[Victim] — 09/07/2021, 13:05:11 — Message 23/34
Can you please provide some discount??
[Conti] — 09/07/2021, 13:06:26 — Message 24/34
We can make 25% discount if the payment will be made within 24 hours.
[Conti] — 09/07/2021, 13:08:17 — Message 25/34
desktop.ini [ 174B ]
[Conti] — 09/07/2021, 13:08:22 — Message 26/34
I've processed the request for the file tree list and example data pack to the tech dept. Will upload as soon as they reply
[Victim] — 09/07/2021, 13:08:31 — Message 27/34
Ok and where we have to pay??
[Conti] — 09/07/2021, 13:08:32 — Message 28/34
ntuser.ini [ 20B ]
[Conti] — 09/07/2021, 13:09:03 — Message 29/34
The btc wallet for the payment is : [redacted]
[Victim] — 09/07/2021, 13:13:41 — Message 30/34
Can you please provide non-segwit address if you don't have any problem
[Victim] — 09/07/2021, 13:15:20 — Message 31/34
Can we request one more thing please?? Amount is very huge.. can you accept the money into multiple addresses, if you don't have any problem. We will try to pay with diff-diff wallets. I hope you understand our situation. It's a humble request
[Conti] — 09/07/2021, 13:18:13 — Message 32/34
Here's the list of addresses for the payment, all are non-segwit :
[redacted]
[redacted]
[redacted]
[redacted]
[redacted]
[Conti] — 09/07/2021, 13:26:27 — Message 33/34
Let me know if you've received the addresses. I will have to go offline for a couple of hours but I will be able to get back to you later today.
[Victim] — 09/07/2021, 13:31:59 — Message 34/34
ok we are talking to higher management with all the details and I will update you by EOD otherwise tomorrow. We will try to pay you by today if higher mangement approves everything