// Ransomware Negotiation Transcript
Conti Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 81 messages exchanged.
The initial ransom demand was $1.7M. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
What do you want?
Hello?
readme.txt [ 1kB ]
Hello, please wait answer
ok
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website.
The recovery price is $1700000 (45 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner to avoid additional expenses from your side on security software and on building the new network from scratch.
The example data pack will be provided soon, which will include part of the file tree list and some actual data you can review.
30perclisting.zip [ 223kB ]
You can choose any 2 files from the listing, we will discard them as proof that the files were really stolen
You can also send 2 files for a free decrypt
---
Upon conclusion of the agreement, our price includes
1) Universal decryptor for your network
2) Permanently delete all stolen information + logs of removing
3) Security advisories and report how we infiltrated your system
datapack.7z [ 47.2MB ]
Have you reviewed the documents and our offer?
If we will not receive the response today we shall start transmitting your data to 3-rd parties step by step notifying your clients and employees about the breach and on how you guard their data.
we have just pulled down the files for review.
i will let you know when we are done.
how do we know if you are able to recover our machines?
You can provide two random low-value encrypted files and we will decrypt them as a proof and upload back
It took you two days to download files from review? We are not that patient and you should be more operative otherwise we will consider you stalling
will provide the files. No, it did not take us 2 days to download the files and review. we only logged back on this morning and saw that you sent them.
[redacted] Office.doc.[redacted] [ 533kB ]
[redacted].pdf.[redacted] [ 75kB ]
Will upload the decrypted files asap.
[redacted].pdf [ 74kB ]
[redacted] Office.doc [ 533kB ]
ok thank you
we are currently still reviewing everything.
additionally, my higher up are requesting additional proofs because you are asking 45btc which is quite a lot of money.
What proof do you need?
We showed that we can decrypt files
Select any 2 files from the listing archive and we will discard them to you
Having received the decryptor, you can start working in 2 hours
Read about us on the Internet - we work honestly. It is much more profitable to conclude an agreement with us than to incur losses
thats for that additional information. will pass this information along to my boss. I will also let you know the file names once they let me know.
Still haven't heard anything yet. Will try to get an answer as soon as possible.
Ok, keep me updated
will do.
haven't heard anything yet from my boss (most likely because it is the weekend). I should have more information tomorrow
good morning. I have a meeting here shortly and should have those file names for proof of decryption
hello
what file names ? Are you talking about 100% listing?
from the file listing you sent me earlier
Proof of file decryption - you sent 2 files to us, we deciphered them and threw them off.
File with the title "30perclisting.zip"
Here is a list of 20 - 30 percent stolen information from your network.
When you conclude an agreement, you will receive a decryptor for your entire network and return the state of computers to their previous state in a few hours
yes im sorry. I confused myself.
any updates?
yes sorry, sending the filenames over now.
ok, waiting.
ok finally received the list
uploading the text file now
FileRequest.txt [ 2kB ]
Well, it's way more than 2 files, but we will provide.
Sorry about that but definitely appreciated!
2019_[redacted].xlsx [ 43kB ]
2019_[redacted].xlsx [ 152kB ]
Logo [redacted].pdf [ 87kB ]
[redacted].pdf [ 69kB ]
[redacted] - Employee agreement [redacted].docx [ 44kB ]
[redacted] - Employee agreement [redacted].docx [ 46kB ]
[redacted].PNG [ 83kB ]
Agreement [redacted].docx [ 42kB ]
2020 [redacted] (1).xlsx [ 21kB ]
[redacted].pdf [ 5.4MB ]
thank you, pulling those files down now
just wanted to let you know, my boss and the higher ups are having meetings to discuss this. I will keep you updated, as much as i can.
thanks
definitely appreciate your patience. Haven't received work yet (most likely due to the weekend). Will keep you updated.
do we have an agreement?
We are still waiting, but not for too long.
are you declining our offer?
would you please repeat your offer, seems like your message didn't go through
This message was send before - thats still out of our range($274,350). our offer $175k.
I an confused, where have you sent your offer?
I don't see any relevant message within this chat
woah... I am just seeing those messages now. I did not send those messages
are you in talks with other people? maybe the framework picked up cross talk?
Perhaps one of your employees writes here
Send your current offer now
No, that's impossible, suppose some of your employees send the messages, maybe we should move to another chat making it private?
i am working on getting that answer for you. yeah moving to a new chat might be best. how can we do that?
i have an update from my boss/higher ups
I will provide the new chat ID within an hour.
ok thanks.
Ok, i made it over to that chat and sent a msg.
Ok, let's move there, should I block this chat forever?
// Analysis
Analyst Observations
- The final settlement represented a 100% reduction from the initial demand — a significant discount achieved through negotiation.
- Conti was a major ransomware operation that effectively shut down in May 2022 after internal chat logs were leaked. Members dispersed to other groups including Royal, BlackBasta, and Karakurt.