// Ransomware Negotiation Transcript

Conti Ransomware Negotiation — Redacted Organisation

50Messages
UnknownDuration
$980,000Initial Demand
PaidOutcome
// Context

About This Negotiation

This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 50 messages exchanged over Unknown.

The initial ransom demand was $980,000. The negotiation resulted in a confirmed payment.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — 20/08/2021, 23:27:05 — Message 1/50
Please help us in decrypting the files
[Conti] — 20/08/2021, 23:32:29 — Message 2/50
We will provide details on how to proceed shorty. 10-15 minutes.
[Conti] — 20/08/2021, 23:48:25 — Message 3/50
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website The recovery price is $980000 (20.02 btc). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge. If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches. We strongly recommend to review our offer in a timely manner.
[Victim] — 22/08/2021, 02:15:37 — Message 4/50
Are we able to see what is in that larger pack of documents that you took from us? This is a lot of money for us to pay without knowing what we are paying to protect.
[Conti] — 22/08/2021, 02:18:32 — Message 5/50
Yes, sure. Will upload asap.
[Conti] — 23/08/2021, 00:12:44 — Message 6/50
listing_[redacted].rar [ 1.8MB ]
[Conti] — 23/08/2021, 00:18:31 — Message 7/50
[redacted]DATA.zip [ 74.2MB ]
[Conti] — 23/08/2021, 00:34:34 — Message 8/50
Upon conclusion of the agreement, our price includes 1) Universal decryptor for your network 2) Permanently delete all stolen information + logs of removing 3) Security advisories and report how we infiltrated your system --- You can choose any 2 files from the listing, we will discard them as proof that the files were really stolen You can also send 2 files for a free decrypt HIDE
[Conti] — 23/08/2021, 00:35:09 — Message 9/50
How quickly do you want to conclude an agreement?
[Victim] — 23/08/2021, 00:35:48 — Message 10/50
Quickly, but we need some time tomorrow to review what you sent. It's late on a Sunday and no one is here. We'll get you an update tomorrow.
[Victim] — 24/08/2021, 02:03:09 — Message 11/50
Hello. We have spent the day reviewing and wanted to see if you would be able to accept $228,000 in return for a quick payment tomorrow. We can start looking for bitcoin brokers in the morning if this is acceptable.
[Conti] — 24/08/2021, 02:12:53 — Message 12/50
No. We can give a small discount for speed Do you need a decryptor and data deletion?
[Victim] — 24/08/2021, 05:55:35 — Message 13/50
Yes we need both. We will work to pay quickly. What can you do to help us?
[Conti] — 24/08/2021, 06:01:15 — Message 14/50
Good If you pay until the end of the week - Discount% 30 $ 680.000
[Victim] — 24/08/2021, 06:02:48 — Message 15/50
Ok, it's late here so I will bring this to the team first thing in the morning. Thank you.
[Victim] — 24/08/2021, 18:59:30 — Message 16/50
Thanks for being patient with us. I had a chance to talk with our finance team after they spoke with our primary bank today. We have the ability to take out a $60,000 loan which we can offer you. This would set us up to be able to pay you $288,000. We would really appreciate it if we can come to some sort of agreement as we have exhausted our options to come up with cash for you. I'm doing all I can here to get approvals and such, but it's just posing to be challenging.
[Conti] — 24/08/2021, 21:53:09 — Message 17/50
We see what you want to conclude an agreement and can make a small step $ 630.000
[Conti] — 24/08/2021, 21:53:31 — Message 18/50
[redacted] - until the end of the week
[Victim] — 24/08/2021, 23:18:45 — Message 19/50
Thanks. I will get in touch with our finance team and CEO in the morning to see what they are able to find. I know that they had not had positive news with our secondary bank given that someone told them it was for a ransom and they declined our application. Is there any BEST price that we could pay if we agreed on something tomorrow? Right now you are asking for more than double what we can possibly offer you, so maybe there is some benefit if we can pay you fast?
[Conti] — 25/08/2021, 03:54:43 — Message 20/50
We can make it $500k if we close the deal tomorrow.
[Victim] — 25/08/2021, 04:26:28 — Message 21/50
Ok let me get the team together in the morning and I will get back to you. Thank you.
[Victim] — 25/08/2021, 16:06:51 — Message 22/50
Ok, I was able to have a meeting with the finance team and CEO to discuss your proposal. We really appreciate your willingness to come down for us in return for a quick payment. The team had been able to confirm that if paid today, we can offer $330,000. But we would need to know soon because there are some hurdles on our end to try to get a payment out today.
[Conti] — 25/08/2021, 16:09:49 — Message 23/50
$500.000 today.
[Victim] — 25/08/2021, 16:13:12 — Message 24/50
We don't have access to $500,000 today, tomorrow, next week, or any time. We are trying to giving you our best offer that we can here, because anything higher is impossible for us to pay you.
[Conti] — 25/08/2021, 17:18:14 — Message 25/50
Do you remember that we've had access to your network and went through your financial data? We wouldn't ask for anything you are unable to afford.
[Victim] — 25/08/2021, 17:22:29 — Message 26/50
Yes, but if you saw our expenses you would see that our margins are extremely slim. Our industry relies on being the most affordable option, which means accepting slim margins to get work. Revenue may look good, but when we realize only 2% to 4%, you start to see that we are not extremely profitable
[Conti] — 25/08/2021, 17:26:01 — Message 27/50
I'll talk to the team anyways, will try to get smth better but not sure if my boss agrees.
[Victim] — 25/08/2021, 17:30:23 — Message 28/50
Thank you. I know you guys are looking to make money off of us, but we just want to be realistic with you here regarding what we can actually pay.
[Conti] — 25/08/2021, 17:59:48 — Message 29/50
350k$ today
[Victim] — 25/08/2021, 21:08:15 — Message 30/50
Okay, we are working on this
[Victim] — 25/08/2021, 22:50:42 — Message 31/50
Will you be around in about 1-2 hours? We should have the funds sent to you by then
[Conti] — 25/08/2021, 22:52:14 — Message 32/50
ok
[Victim] — 25/08/2021, 23:28:50 — Message 33/50
Payment has been sent
[Victim] — 25/08/2021, 23:50:40 — Message 34/50
Are you there?
[Conti] — 25/08/2021, 23:52:22 — Message 35/50
yes
[Conti] — 25/08/2021, 23:52:49 — Message 36/50
We expect confirmations
[Conti] — 26/08/2021, 00:37:18 — Message 37/50
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 26/08/2021, 00:37:46 — Message 38/50
Decryptor: 1) Launch the decryptor under Administrative rights 2) Wait till the decryptor window is closed 3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Victim] — 26/08/2021, 02:30:51 — Message 39/50
Thank you, what about the log for removing the stolen information and the security advisories and report? When will we receive those?
[Victim] — 26/08/2021, 20:31:17 — Message 40/50
Hello?
[Conti] — 26/08/2021, 20:36:46 — Message 41/50
wait please
[Conti] — 26/08/2021, 20:37:31 — Message 42/50
- We recommend that you configure restrictions on system actions for ordinary users on all workstations. - Change passwords every 2 weeks and create more complex - Install an antivirus on every computer - Disable lsas dump on all computers - Monitoring of users on the network 2 times a week - Restrict access to servers for regular users - Reduce the number of domain admins - Set up a more complex data backup system
[Conti] — 27/08/2021, 03:02:06 — Message 43/50
[redacted].log [ 16.2MB ]
[Victim] — 27/08/2021, 15:09:23 — Message 44/50
Thank you. Are you able to share the exact computer and method used to access our network?
[Victim] — 27/08/2021, 18:23:16 — Message 45/50
Why does the deletion log have fewer files than the file tree that you sent earlier? 166,429 files in the listing.txt vs the 149,914 files in [redacted].log
[Victim] — 27/08/2021, 23:47:16 — Message 46/50
Hello?
[Conti] — 29/08/2021, 13:56:53 — Message 47/50
These are directory. Your files are removed. We work honestly.
[Victim] — 29/08/2021, 14:53:19 — Message 48/50
What does that mean "these are directory?"
[Victim] — 30/08/2021, 15:23:35 — Message 49/50
Also, are you able to share the exact computer and method used to access our network?
[Conti] — 30/08/2021, 22:22:47 — Message 50/50
mail
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →