// Ransomware Negotiation Transcript

Conti Ransomware Negotiation — Redacted Organisation

32Messages
UnknownDuration
$1.2MInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 32 messages exchanged.

The initial ransom demand was $1.2M. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — 08/11/2021, 20:11:24 — Message 1/32
hi, I need to decrypt my files
[Victim] — 08/11/2021, 20:11:49 — Message 2/32
the ID I found on my pc is ---BEGIN ID--- [redacted] ---END ID---
[Victim] — 08/11/2021, 20:15:19 — Message 3/32
can you help me ?
[Conti] — 08/11/2021, 22:23:58 — Message 4/32
Hello! Can we help you, name your company and the person who communicates with us, are you authorized to negotiate?
[Victim] — 08/11/2021, 22:28:35 — Message 5/32
hi, my name is [redacted] and I can negotiate with you
[Victim] — 08/11/2021, 22:37:36 — Message 6/32
i'm an IT Consultant that the company call for this case
[Conti] — 08/11/2021, 22:38:44 — Message 7/32
name your company?
[Victim] — 08/11/2021, 22:39:00 — Message 8/32
[redacted]
[Victim] — 08/11/2021, 23:43:38 — Message 9/32
sorry, in Italy it is sleeping time ....
[Victim] — 08/11/2021, 23:43:56 — Message 10/32
have you any answer for us ?
[Victim] — 09/11/2021, 07:53:03 — Message 11/32
hi, any news for us ?
[Victim] — 09/11/2021, 14:12:20 — Message 12/32
Hi, are you online?
[Conti] — 09/11/2021, 18:37:33 — Message 13/32
Hello [redacted] Group
[Conti] — 09/11/2021, 18:39:08 — Message 14/32
Your network was hacked, infrastructure encrypted and we downloaded many private information from your servers. Important! We have instructions and follow them, they do not change. Important! Read carefully: 1. The BASE PRICE for decrypt and non-recoverable deletion is $1,200,000. 2. We have 14 days to negotiate! the end of the term, the BASE PRICE will be doubled & we will publish you for the purpose of selling access to your network and datas of your company. 3. But there is also a positive point in our conditions, if you pay quickly during the week, then the discount will be from the BASE PRICE of -30%. 4. The DISCOUNT PRICE (14 days from that date) will be: $840,000 5. BTC Wallet: [redacted] 6. To make sure that the decoder works, you can give us some files that do not contain important information, and we decode them to show performance. 7. As for the evidence that we have private information from your network, we can provide some of the tree files taken from you. You will select 5 files and we will provide them to you as evidence.
[Conti] — 09/11/2021, 18:39:51 — Message 15/32
[redacted]_SAMPLE_TREE.zip [ 344kB ]
[Conti] — 09/11/2021, 18:40:25 — Message 16/32
[REDACTED URL]
[Victim] — 09/11/2021, 20:01:35 — Message 17/32
thanks for your message. your request is very high, and it is impossibile for us to have so much money.
[Conti] — 09/11/2021, 20:09:03 — Message 18/32
Evaluate our offer, it is balanced and realistic, we understand your desire to reduce the costs of this incident. But let's be realistic, we have blocked all your infrastructure and threaten to publish data that in the long run + not installed infrastructure will make your losses many times the amount we ask. Let's go ahead, people who tell the management of your company that they can reduce the price - make mistakes, this will not happen. Our price is final. It will only grow. Ahead of the pullout of your data. You need to discuss this well before pulling time and then biting your elbows why the price has risen so much.
[Conti] — 09/11/2021, 20:12:23 — Message 19/32
We are waiting and ready for negotiations.
[Victim] — 09/11/2021, 20:13:18 — Message 20/32
I did not write to you because we want to save, but because it is a sum of money that is not possible. we understand our problem, and thank you for answering us
[Victim] — 09/11/2021, 20:13:51 — Message 21/32
with such a large sum of money our company goes bankrupt
[Victim] — 09/11/2021, 20:15:35 — Message 22/32
if the company closes the data is no longer needed by anyone. we don't need them anymore, and you don't get paid if we close
[Victim] — 09/11/2021, 20:17:46 — Message 23/32
we have availability for a maximum of 3 - 4 BTC, in addition we have to ask the banks for money and this is not possible in 14 days
[Conti] — 09/11/2021, 20:24:35 — Message 24/32
4. The DISCOUNT PRICE (14 days from that date) will be: $840,000
[Conti] — 09/11/2021, 20:24:45 — Message 25/32
[REDACTED URL]
[Victim] — 09/11/2021, 20:34:17 — Message 26/32
I fully understand your position, but you too must understand that it is not possible for us to recover all this money in 14 days
[Victim] — 09/11/2021, 20:34:44 — Message 27/32
please, let's try to find a meeting point
[Victim] — 09/11/2021, 20:38:05 — Message 28/32
we are offering 200.000 $
[Conti] — 09/11/2021, 20:38:20 — Message 29/32
What amount are you offering now? Name her $
[Victim] — 09/11/2021, 20:55:11 — Message 30/32
i hope you can accept, so we can close quickly
[Victim] — 09/11/2021, 20:57:21 — Message 31/32
I believe that $ 200,000 is a very important amount of money for both of us
[Victim] — 09/11/2021, 20:57:22 — Message 32/32
I believe that $ 200,000 is a very important amount of money for both of us
// Analysis

Analyst Observations

  • Conti was a major ransomware operation that effectively shut down in May 2022 after internal chat logs were leaked. Members dispersed to other groups including Royal, BlackBasta, and Karakurt.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →