// Ransomware Negotiation Transcript

Conti Ransomware Negotiation — Redacted Organisation

46Messages
UnknownDuration
$300,650Initial Demand
RefusedOutcome
// Context

About This Negotiation

This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 46 messages exchanged over Unknown.

The initial ransom demand was $300,650. The victim refused to pay.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — 12/08/2021, 19:03:07 — Message 1/46
Hello we found the read me note which brought us here.
[Conti] — 13/08/2021, 04:26:43 — Message 2/46
This is ContiLocker Team. Please, introduce yourself (Company name and your position) and we'll provide all necessary information. Sometimes our staff is busy, but we will reply as soon as possible. Be in touch, thank you
[Victim] — 13/08/2021, 14:25:51 — Message 3/46
Hello, I'm with [redacted], one of the IT Engineers. Please do get back to us as soon as possible with the necessary information.
[Conti] — 13/08/2021, 15:22:28 — Message 4/46
As you already know, we penetrated your network and were in it for over 2 weeks (enough to study all your documentation), encrypted your file servers, sql-servers, downloaded all important information weighing over 100 GB: personal data of customers, employees (home addresses, scans of personal documents, phone numbers), consolidated financial reports, studies, payrolls, bank statements. The good news is, we're businessmen. We want a ransom for anything that needs to be kept secret, and we don't want to ruin your business. The amount at which we are willing to go out on a limb for you and leave everything as collateral is $300,650. After payment, we will give you a tool to decrypt all your machines, a security report on how you were hacked, a file tree of what we downloaded from your network, and a log of the erasure of that information.
[Victim] — 13/08/2021, 16:30:55 — Message 5/46
How do we know that you can decrypt our machines? Can you decrypt a few files first?
[Conti] — 13/08/2021, 17:26:13 — Message 6/46
Yes, send 2-3 files to the chat room
[Victim] — 13/08/2021, 17:31:41 — Message 7/46
IOS Mitel mobile.docx.[redacted] [ 3.8MB ]
[Victim] — 13/08/2021, 17:31:53 — Message 8/46
[redacted] Logo.png.[redacted] [ 27kB ]
[Victim] — 13/08/2021, 17:32:03 — Message 9/46
[redacted] Prompts.docx.[redacted] [ 17kB ]
[Conti] — 13/08/2021, 20:39:48 — Message 10/46
IOS Mitel mobile.docx [ 3.8MB ]
[Conti] — 13/08/2021, 20:39:55 — Message 11/46
[redacted] Logo.png [ 26kB ]
[Conti] — 13/08/2021, 20:40:03 — Message 12/46
[redacted] Prompts.docx [ 17kB ]
[Conti] — 15/08/2021, 01:11:13 — Message 13/46
On Tuesday, we will begin publishing and selling your data. You are only a small loss of profit for us.
[Conti] — 15/08/2021, 01:13:39 — Message 14/46
50%.txt [ 5.7MB ]
[Conti] — 15/08/2021, 01:15:41 — Message 15/46
You can look at the list, it has half the data we took.
[Victim] — 16/08/2021, 02:10:11 — Message 16/46
Thank you for providing this. We will be back in touch on Monday
[Conti] — 16/08/2021, 16:17:59 — Message 17/46
It is Monday already. We're waiting for your decision.
[Victim] — 16/08/2021, 18:13:32 — Message 18/46
Hello, I am sorry we are a small school we are still discussing internally. Please give us some more time we want to continue a dialogue with you. We just need some more time to talk with our management team. Thank you
[Conti] — 16/08/2021, 18:56:25 — Message 19/46
24 hours.
[Victim] — 16/08/2021, 21:27:59 — Message 20/46
Please work with us here we are a small college who serves the under privileged. The amount you're asking is something we cannot pay.
[Conti] — 16/08/2021, 21:49:57 — Message 21/46
We are here. Your offer?
[Victim] — 17/08/2021, 01:28:12 — Message 22/46
We have $75,000 on hand that we could pay as soon as possible. Will you accept that?
[Conti] — 17/08/2021, 16:01:17 — Message 23/46
$75,000? Don't try to cheat us. We have got a lot of your data and encrypted your system. We have got a serious amount of your contracts and documentation. We have the personal data of your employees. We got a lot of information about your company from our pentest and OSINT departments. And you are trying to offer us a bit more than the yearly salary of a regular manager? This sum can cover only a part of the total amount we can get by selling your data and vulnerabilities on auctions. Moreover, because we are now aware of your network structure, the next attack can be implemented in a short time. It looks like you think we are stupid. Just a simple pentest on your company will cost about $40-50 thousand. And this is a price without stolen data. You have one more chance to give us an adequate offer. Otherwise, we will raise the ransom amount. We can only give you a small discount, if you decide to pay in 24 hours. Let your price be $250,000.
[Victim] — 17/08/2021, 17:39:39 — Message 24/46
$250,000 is too much for us. We are talking internally to see if we can borrow or loan an additional amount which would give us $135,000. We are working to get this done as quickly as possible. Will you accept $135,000. We want to work with you, but please work with us.
[Conti] — 17/08/2021, 18:10:45 — Message 25/46
Okay, this is closer to a good offer. We can accept $175,000 if payment will be provided in 2 days.
[Victim] — 17/08/2021, 20:57:15 — Message 26/46
With the loan we are able to get a bit more and can pay $150,000. We can do this in 2 days or less. Please work with us here.
[Conti] — 17/08/2021, 21:09:46 — Message 27/46
Okay. Here is Bitcoin address: [redacted]
[Conti] — 17/08/2021, 21:10:22 — Message 28/46
Contact us immediately as the payment of $150,000 will be sent.
[Conti] — 17/08/2021, 21:24:51 — Message 29/46
After this you will receive the decryption software and recommendations to avoid such an accidents in future.
[Victim] — 17/08/2021, 21:34:43 — Message 30/46
Ok thank you I will let my management know and will keep you updated
[Victim] — 17/08/2021, 21:35:47 — Message 31/46
Just to confirm that after payment we will receive the decryption tool that will work to decrypt all of the impacted files from your malware and we will also receive a full file tree and proof of deletion of our data?
[Conti] — 17/08/2021, 21:36:16 — Message 32/46
Yes
[Victim] — 18/08/2021, 21:49:56 — Message 33/46
We are working on the payment. Still waiting on the wire. We will still have it with in the two days. Thank you for your patience.
[Conti] — 18/08/2021, 21:51:45 — Message 34/46
okay, we are waiting. Bitcoin address is actual; please be attentive, the address is case-sensitive.
[Victim] — 18/08/2021, 23:59:06 — Message 35/46
Thank you and just to be clear this is the address we are to pay [redacted]
[Victim] — 19/08/2021, 01:01:56 — Message 36/46
Ok we made the payment. Can you please provide the tool, the full file listing and proof of deletion of files.
[Conti] — 19/08/2021, 04:18:03 — Message 37/46
We will work on confirming your payment and after this will make sure that you get everything
[Victim] — 19/08/2021, 14:04:21 — Message 38/46
Hello just checking in again. Please provide everything. Here is confirmation [REDACTED URL]
[Conti] — 19/08/2021, 15:40:35 — Message 39/46
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 19/08/2021, 15:41:04 — Message 40/46
Decryptor: 1) Launch the decryptor under Administrative rights 2) Wait till the decryptor window is closed 3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Conti] — 19/08/2021, 19:24:37 — Message 41/46
Our advice to you. Put a server in the domain that will download daily updates from Microsoft. And once a week or twice a week, distribute updates from this server to all computers and servers on your network. Thus, in the future you will protect your network from known public vulnerabilities. Also install Black Carbon or Sentinel antivirus. Make it a rule to change all important passwords once a month. You got a malware virus somewhere on the Internet. We used that tool and accessed your terminal. We received all necessary passwords from over there. The rest was easy.
[Victim] — 19/08/2021, 20:41:10 — Message 42/46
Thank you. When will you provide the full file listing of data as well as the proof of deletion?
[Conti] — 20/08/2021, 04:06:33 — Message 43/46
We are preparing your data for you. It's okay, we keep our word.
[Victim] — 20/08/2021, 14:18:18 — Message 44/46
Thank you
[Victim] — 22/08/2021, 17:00:43 — Message 45/46
Hello, just checking in on the data again
[Conti] — 23/08/2021, 13:50:44 — Message 46/46
Mega.nz [redacted]@protonmail.com [redacted]
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →