// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 17 messages exchanged over Unknown.
The initial ransom demand was $980,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Conti] — 4/9/2021, 8:58:53 AM — Message 1/17
Hello, are you ready to negotiate?
[Victim] — 4/25/2021, 9:10:41 AM — Message 2/17
please help, my files are encrypted!!!
[Conti] — 4/25/2021, 10:49:00 AM — Message 3/17
Please introduce yourself. You title and company name.
[Victim] — 5/6/2021, 11:34:38 AM — Message 4/17
company - [redacted]
[Victim] — 5/6/2021, 12:38:28 PM — Message 5/17
did you download any data from our system ?
[Victim] — 5/6/2021, 12:38:48 PM — Message 6/17
what is the next step ?
[Conti] — 5/6/2021, 1:02:43 PM — Message 7/17
Yes, we did. I will upload the 30% of the files we currently hold as a list. You will be able to choose any 2 random files of your choice from the list and we will upload them as a proof.
[Conti] — 5/6/2021, 1:05:37 PM — Message 8/17
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website [REDACTED URL]
The recovery price is $980000 (17 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner and contact your insurance provider to avoid additional expenses from your side on security software and on building the new network from scratch.
[Conti] — 5/6/2021, 1:05:59 PM — Message 9/17
30 % listing.txt [ 1.3MB ]
[Conti] — 5/6/2021, 1:08:17 PM — Message 10/17
Data Pack [redacted].zip [ 38.9MB ]
[Conti] — 5/8/2021, 9:29:23 AM — Message 11/17
you can send two random files for free test decrypt
[Victim] — 5/8/2021, 11:23:48 AM — Message 12/17
NTUSER.DAT_[redacted]_.TM.blf.[redacted] [ 65kB ]
[Victim] — 5/8/2021, 11:24:03 AM — Message 13/17
here is the encrypted file please help us fast.
[Victim] — 5/8/2021, 11:24:57 AM — Message 14/17
Are you there?
Please reply us fast??
[Conti] — 5/8/2021, 3:54:19 PM — Message 15/17
yes. We're processing.
[Conti] — 5/8/2021, 3:57:42 PM — Message 16/17
We are ready to provide a 25% discount if the payment will be made within next 24 hours.
The btc wallet for the payment is : [redacted]
The decrypted file will be uploaded within 2 hours.
[Conti] — 5/8/2021, 7:30:59 PM — Message 17/17
NTUSER.DAT_[redacted]_.TM.blf [ 64kB ]