// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 63 messages exchanged over Unknown.
The initial ransom demand was $950,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 5/12/2021, 10:13:16 PM — Message 1/63
I need to recover my files
[Victim] — 5/13/2021, 12:03:30 AM — Message 2/63
hello?
[Victim] — 5/13/2021, 4:01:33 AM — Message 3/63
hello
[Conti] — 5/13/2021, 10:43:08 AM — Message 4/63
Hello, please identify your company
[Conti] — 5/17/2021, 10:25:21 AM — Message 5/63
Well? Are you ready to negotiate or we should start notifying your staff and partners?
[Victim] — 5/17/2021, 10:22:55 PM — Message 6/63
What do you guys want?
[Conti] — 5/18/2021, 6:11:12 AM — Message 7/63
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files (more than 500gb) that will be published in case our negotiations fail. How it happens can be seen on our website [REDACTED URL]
The recovery price is $950000 (21 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner.
[Conti] — 5/18/2021, 3:04:16 PM — Message 8/63
[redacted]_30_percent_listing.rar [ 1MB ]
[Victim] — 5/20/2021, 12:23:08 AM — Message 9/63
What is this file? WHy is this costing 21 coins? We don't have this!!
[Conti] — 5/20/2021, 8:48:46 AM — Message 10/63
This file contains the 30% list of all the data we took from your network. It totally costs what we ask.
[Victim] — 5/20/2021, 2:32:57 PM — Message 11/63
You said earlier that you are ready to negotiate. What range will you actually negotiate to?
[Conti] — 5/20/2021, 3:47:16 PM — Message 12/63
We are ready to provide a 25% discount if the payment will be made by Monday.
[Victim] — 5/20/2021, 6:35:14 PM — Message 13/63
We don't have that type of money. Do you know what we do? Do you know how small our margins are?
[Conti] — 5/20/2021, 10:29:18 PM — Message 14/63
What is your offer?
[Victim] — 5/21/2021, 3:21:03 PM — Message 15/63
We really need to think this through. We can't sustain such a large payment. Can we let you know early next week?
[Conti] — 5/21/2021, 5:27:22 PM — Message 16/63
Yes, we will be waiting for your offer by Monday evening.
[Victim] — 5/21/2021, 10:07:57 PM — Message 17/63
Okay
[Conti] — 5/24/2021, 10:04:55 PM — Message 18/63
Well?
[Victim] — 5/24/2021, 10:30:19 PM — Message 19/63
Soon. Still ironing out a few things.
[Victim] — 5/25/2021, 12:20:14 AM — Message 20/63
Thanks for waiting. Given our margins and our type of business, it was difficult to come up with a large amount, but we're ready to offer you $125,000
[Conti] — 5/25/2021, 9:06:39 AM — Message 21/63
That is surely way lower our usual demands, but taking in consideration your type of business we are ready to go down to $580k
[Victim] — 5/25/2021, 3:51:30 PM — Message 22/63
We're not viewing this as a negotiation. The decrease helps but all we have is $125,000. We collect debt on behalf of other companies and this is a low margin industry. This seems like a dead end at this rate.
[Conti] — 5/25/2021, 10:24:24 PM — Message 23/63
Well, we are going to ruin your business if you are not ready to meet about $500k. That's the lowest our group gets. We will be waiting a reply within 24 hours. If we will not receive it - we will show you what we can do.
[Victim] — 5/26/2021, 1:56:09 AM — Message 24/63
We've spoken to several brokers who work with you and know you have gone below $500k before, so please reconsider my proposal. I've offered you a substantial amount of money for my industry and want to reach a compromise with you. Please let me know if you have a better rate for me
[Conti] — 5/26/2021, 6:59:00 AM — Message 25/63
Yes, we had such cases in a private manner, we've discussed internally and the last offer we can make is to meet inbetween at the point of 352.5k let me know if you accept. Otherwise we shall start actions.
[Victim] — 5/26/2021, 12:43:22 PM — Message 26/63
This is still way off our mark. What could you possibly have that is worth so much?
[Victim] — 5/26/2021, 12:43:26 PM — Message 27/63
Can we see some more files?
[Victim] — 5/26/2021, 12:43:54 PM — Message 28/63
We see you're trying to work with us which we appreciate. It just feels a little hopeless right now.
[Conti] — 5/26/2021, 2:47:28 PM — Message 29/63
That's as low as we can get. And it's not only about the files that we've shown. I will upload the full listing soon, but if we won't be able to reach the agreement by tomorrow - we shall start notifying your employees and partners about the breach and on how you value their data.
[Victim] — 5/26/2021, 4:05:17 PM — Message 30/63
Getting the full listing will help us. Can we atleast get until the end of the week to review the listing?
[Conti] — 5/26/2021, 4:38:39 PM — Message 31/63
[redacted]-full-listing.rar [ 3MB ]
[Victim] — 5/26/2021, 9:40:31 PM — Message 32/63
This contains everything that you extracted from us?
[Conti] — 5/27/2021, 9:14:21 AM — Message 33/63
Yes, correct.
[Victim] — 5/27/2021, 9:40:23 PM — Message 34/63
We should have our review done by tomorrow. Thank you.
[Conti] — 5/28/2021, 4:04:29 PM — Message 35/63
We are waiting for details from your side today.
[Victim] — 5/28/2021, 4:54:36 PM — Message 36/63
We've spoken about this. The file listing hasn't changed much because we had an idea of what was taken anyway. Money is still the biggest issue as we don't have the resources for excess payments. You're bringing us to the edge but we've gathered some more cash. $170,000 is our max.
[Conti] — 5/28/2021, 5:03:32 PM — Message 37/63
We are ready to accept. The wallet for the payment is : [redacted]
[Victim] — 5/28/2021, 8:23:38 PM — Message 38/63
We need time to move money and Monday is a bank holiday. Can we pay next week?
[Victim] — 5/28/2021, 8:23:57 PM — Message 39/63
And what will you provide to us after we pay $170,000?
[Conti] — 5/28/2021, 8:26:01 PM — Message 40/63
You will be provided with the decryption tool, data removal logs and security recommendations.
[Victim] — 5/28/2021, 9:31:20 PM — Message 41/63
This is a long weekend. Can we pay by the end of next week?
[Conti] — 5/28/2021, 10:18:25 PM — Message 42/63
Let's make it Wednesday? That's more than enough time I suppose.
[Victim] — 5/29/2021, 2:53:23 AM — Message 43/63
Okay, we just won't be able to move money until Tuesday, so it may be Wednesday or Thursday. I will keep you updated. I appreciate it!
[Conti] — 5/29/2021, 2:54:07 AM — Message 44/63
Ok, we will be waiting.
[Victim] — 5/29/2021, 3:00:16 AM — Message 45/63
Thank you
[Victim] — 6/1/2021, 9:23:34 PM — Message 46/63
We should be able to pay by tomorrow or Thursday. Thanks.
[Conti] — 6/1/2021, 10:01:44 PM — Message 47/63
Ok, let me know as soon as the transfer is made.
[Victim] — 6/2/2021, 8:47:04 PM — Message 48/63
We have the $170,000. Please confirm the address again.
[Conti] — 6/2/2021, 9:56:17 PM — Message 49/63
The btc wallet remains the same : [redacted]
[Victim] — 6/2/2021, 10:10:35 PM — Message 50/63
You should have it. Please confirm.
[Conti] — 6/2/2021, 10:11:28 PM — Message 51/63
Received. Will provide all the deliverables the soonest possible.
[Conti] — 6/2/2021, 11:05:25 PM — Message 52/63
[redacted]_decryptor.exe [ 103kB ]
[Conti] — 6/2/2021, 11:07:27 PM — Message 53/63
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
[Victim] — 6/3/2021, 3:03:34 AM — Message 54/63
Okay thank you, please send the other deliverables when you have them
[Victim] — 6/3/2021, 10:16:01 PM — Message 55/63
Is it ready?
[Conti] — 6/4/2021, 2:03:06 PM — Message 56/63
You have been breached through the email phishing campaign. The overall security score is 2 out of 5.
Our recommendations will be :
1. Implement better email filtering policies
2. Implement tape-based backup hardware
3. Audit account access policies network wide
4. Rebuild the network using segmentation procedures
5. Implement better password policies
6. Block pass-the-hash and kerberoast attacks
7. Notify all your employees and security policies inside the company (opening email attachments, changing passwords, etc)
8. Buying better AV/EDR software
[Victim] — 6/4/2021, 8:23:17 PM — Message 57/63
Can you give us specific details on which account was breached? Also, how will you prove that the data has been deleted?
[Victim] — 6/8/2021, 12:36:46 PM — Message 58/63
Did you see the previous message?
[Conti] — 6/8/2021, 12:40:02 PM — Message 59/63
We will provide the data deletion log soon. Unfortunately we have no records on what account was the initially infected. Sorry.
[Victim] — 6/9/2021, 3:19:26 PM — Message 60/63
Please let us know when it is ready
[Victim] — 6/11/2021, 12:48:36 PM — Message 61/63
Can you give us an update?
[Conti] — 6/17/2021, 6:49:44 PM — Message 62/63
[REDACTED URL]
[REDACTED URL]
Archive password: [redacted]
[Conti] — 6/17/2021, 6:49:52 PM — Message 63/63
Here's the deletion log.