// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 43 messages exchanged over Unknown.
The initial ransom demand was $850,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 2/9/2021, 9:38:39 AM — Message 1/43
Hi
Are you there? I need your help urgently kindly reply me. My system is behaving abnormally after infected by your ransomware.
[Conti] — 2/9/2021, 9:48:37 AM — Message 2/43
Yes, we are here. Will provide further details within next few minutes.
[Conti] — 2/9/2021, 9:52:32 AM — Message 3/43
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website [REDACTED URL] (TOR mirror: [REDACTED URL] The recovery price is $850000 in bitcoin. If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge. If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches. We strongly recommend to review our offer in a timely manner, you've waited too long to contact us and the press-release is already ready for publication.
[Victim] — 2/9/2021, 10:01:20 AM — Message 4/43
Please don't publish our data anywhere
[Victim] — 2/9/2021, 10:01:58 AM — Message 5/43
Tell me your demand how we can fix this thing?
[Conti] — 2/9/2021, 10:13:15 AM — Message 6/43
Please read the previous message once again. The recovery price is $850000 in bitcoin.
[Victim] — 2/9/2021, 10:19:00 AM — Message 7/43
It's so much? No Discount?
[Conti] — 2/9/2021, 10:21:54 AM — Message 8/43
You have been waiting to contact us for about three weeks while ignoring our emails and still ask for a discount? It's a luck that you data isn't published yet. It's way past the deadline.
[Victim] — 2/9/2021, 10:27:03 AM — Message 9/43
I know that I wasted so much time in thinking whether to pay or not but now I am ready to do payment atleast provide some discount please
[Conti] — 2/9/2021, 10:29:57 AM — Message 10/43
We can provide a 25% discount by going down to $635k if the payment will be made by the end of this week.
[Victim] — 2/9/2021, 10:37:06 AM — Message 11/43
Ok I am ready with this price tell me where I have to pay?
[Conti] — 2/9/2021, 10:40:54 AM — Message 12/43
The btc wallet for the payment is : [redacted]
Let me know as soon as the payment is made.
[Victim] — 2/9/2021, 10:58:53 AM — Message 13/43
Thanks for the discount. Just want to ask one thing. Is your bitcoin address correct? I am getting issue while doing payment on your given address
[Conti] — 2/9/2021, 11:00:23 AM — Message 14/43
Yes, it is correct, but it's a segwit address. I will provide a new one within few minutes.
[Conti] — 2/9/2021, 11:01:23 AM — Message 15/43
You can use this one : [redacted]
[Victim] — 2/9/2021, 11:07:11 AM — Message 16/43
Thanks but it's not working is it segwit address or what? both the address are throwing same error. Might be because your address is new or created on blockchain and due to that I am getting the error.
[Conti] — 2/9/2021, 11:10:41 AM — Message 17/43
It is a new address, but that should not be an issue. What's the error code?
[Victim] — 2/9/2021, 11:15:17 AM — Message 18/43
Error code is "Transaction Server Failed" Might be because your address is new and empty. If you can provide me another address that have some balance probably it will work sometimes it happened due to zero or null value in blockchain if I am not wrong
[Conti] — 2/9/2021, 11:18:14 AM — Message 19/43
Try this one : [redacted]
[Victim] — 2/9/2021, 11:21:52 AM — Message 20/43
Thanks for your kind support but I think segwit it creating some issue can your provide non-segwit & non-empty address.
[Conti] — 2/9/2021, 11:28:50 AM — Message 21/43
Give me few minutes, I will try to find one.
[Victim] — 2/9/2021, 11:29:41 AM — Message 22/43
Ok no issue & Thanks once again for the discount
[Conti] — 2/9/2021, 11:30:53 AM — Message 23/43
That's not a common issue, have you tried to increase the fee? The blockchain network seems pretty busy today.
[Victim] — 2/9/2021, 11:33:48 AM — Message 24/43
I tried but it doesn't work for me. I know sometimes it happens in blockchain due to network issue so, I am not blaming you
[Victim] — 2/9/2021, 11:34:50 AM — Message 25/43
Btw Thanks for your amazing support service I thought that ransomware guys never respond properly but after talking to you I was wrong
[Conti] — 2/9/2021, 11:37:05 AM — Message 26/43
Glad to hear it. I am trying to find a suitable legacy wallet, but the fact is that we almost never use them, so it might take some time. Anyways, if you will be able to transfer the funds to any of the above wallets we will accept the deposit and provide you with a decryptor. Those three wallets are static and under our control.
[Victim] — 2/9/2021, 11:38:57 AM — Message 27/43
Meanwhile I will try no issue I understand your situation. If you have some more addresses and don't have any problem I will try on others if it works I will let you know
[Victim] — 2/9/2021, 11:43:32 AM — Message 28/43
[redacted] kindly check the payment on this address I just tried again I think funds has been transferred
[Victim] — 2/9/2021, 11:47:22 AM — Message 29/43
No need to check on that address again I got the error message
[Conti] — 2/9/2021, 11:54:15 AM — Message 30/43
[redacted] - try this.
[Victim] — 2/9/2021, 11:57:36 AM — Message 31/43
Same thing happening... you don't have legacy address with some balance. Blockchain network facing load issue I believe
[Conti] — 2/9/2021, 12:01:02 PM — Message 32/43
They are accumulated, so it basically has the parent balance. Nevermind, it seems to be a network issue due to high load, so let's just wait abit and keep trying within some interval.
[Victim] — 2/9/2021, 12:03:37 PM — Message 33/43
No Issue, I was also thinking the same I will try it like this only
[Victim] — 2/9/2021, 12:04:11 PM — Message 34/43
Can I ask few questions if you don't have any problem to answer? I am very curious to know about few things
[Conti] — 2/9/2021, 12:07:14 PM — Message 35/43
Sure, go ahead.
[Victim] — 2/9/2021, 12:09:03 PM — Message 36/43
Like why you started this ransomware business? How much you earned in this business?
[Conti] — 2/9/2021, 12:11:38 PM — Message 37/43
Oh, "those" questions. Unfortunately we have no interest in giving interviews, although the answers for both questions are pretty obvious, right?
[Victim] — 2/9/2021, 12:13:36 PM — Message 38/43
I know that everyone wants money whether it's you or me or anyone else this life runs on money. Without money no one can survive
[Victim] — 2/9/2021, 12:15:16 PM — Message 39/43
But do you think is this good business anyone can do it very easily because I talk to other people's they always said that ransomware guys earns lots of money. After wannacry cyber industry is changed
[Conti] — 2/9/2021, 12:27:44 PM — Message 40/43
I cannot provide any non-speculative answer to this question cause it's connected to an ongoing business enterprise. For now it seems to me like I am giving a public interview and as I have already told - we have no interest in spreading our position or opinion. Although I can provide you with some personal view of the situation after the payment is received and I become confident on whom I am speaking to.
[Victim] — 2/9/2021, 12:37:35 PM — Message 41/43
Ok no worries I understand
[Conti] — 2/9/2021, 5:02:10 PM — Message 42/43
I have to go offline for a while, let me know if you succeed with the payment. Seems like the bitcoin pools are feeling better based on the fact that we've managed to make several transactions today. All the provided wallets will be valid for the next 24 hours so you can choose any of them.
[Conti] — 2/10/2021, 10:11:21 AM — Message 43/43
Any success with the payment?