// Ransomware Negotiation Transcript

Conti Ransomware Negotiation — Redacted Organisation

27Messages
UnknownDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a Conti ransomware negotiation with a redacted victim organisation. The negotiation consisted of 27 messages exchanged.

The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — 12/17/2021, 2:18:29 AM — Message 1/27
Hi I want to make sure if you can recovery my data this is my id [redacted]
[Victim] — 12/17/2021, 2:37:14 AM — Message 2/27
How much data did you already have?
[Victim] — 12/17/2021, 3:12:11 AM — Message 3/27
hello
[Conti] — 12/17/2021, 3:19:38 AM — Message 4/27
hello
[Conti] — 12/17/2021, 3:21:06 AM — Message 5/27
before we start dialog send me name of your domain and random names of few servers
[Victim] — 12/17/2021, 3:24:44 AM — Message 6/27
My files encrypted with .[redacted] extension and the name of server is [redacted]
[Conti] — 12/17/2021, 3:28:11 AM — Message 7/27
ok
[Victim] — 12/17/2021, 3:29:57 AM — Message 8/27
can you give some file from the server ?
[Victim] — 12/17/2021, 3:31:10 AM — Message 9/27
can I request name of file
[Conti] — 12/17/2021, 3:32:51 AM — Message 10/27
yes, i can do it, but later about requesting the name you can try, but i' m not sure that it will be in our listing
[Victim] — 12/17/2021, 3:34:48 AM — Message 11/27
How long do I ave to wait for decrypted file ?
[Victim] — 12/17/2021, 3:36:02 AM — Message 12/27
Can I get ticket number so I can contact you later with my previous request
[Conti] — 12/17/2021, 3:37:23 AM — Message 13/27
what do you mean? after you pay you get decryption software
[Victim] — 12/17/2021, 3:37:45 AM — Message 14/27
I request two files name that mention below [redacted] Assessment.docx Template_OWASPv4_Checklist.xlsx show me if you can recovery the file
[Conti] — 12/17/2021, 3:38:46 AM — Message 15/27
send me here encrypted files and i' ll do decrypt
[Victim] — 12/17/2021, 3:38:55 AM — Message 16/27
I' ve not pay decryption software yet, but You said give us free for two files I just want to make sure if you can decrypt it
[Victim] — 12/17/2021, 3:39:15 AM — Message 17/27
Template_OWASPv4_Checklist.xlsx.[redacted] [ 408.02 KB ]
[Victim] — 12/17/2021, 3:40:20 AM — Message 18/27
not the files , just wait , I' ve problem with my connection
[Victim] — 12/17/2021, 3:41:13 AM — Message 19/27
I cannot upload others file
[Conti] — 12/17/2021, 3:42:53 AM — Message 20/27
maybe it' s big, try some smaller file
[Victim] — 12/17/2021, 3:43:28 AM — Message 21/27
it just 10MB
[Conti] — 12/17/2021, 3:44:56 AM — Message 22/27
it' s too big for this chat
[Victim] — 12/17/2021, 3:47:59 AM — Message 23/27
oh , okay just try to decrypt file that I upload before
[Conti] — 12/17/2021, 3:48:15 AM — Message 24/27
ok, wait
[Conti] — 12/17/2021, 8:50:29 AM — Message 25/27
Template_OWASPv4_Checklist.xlsx [ 407.50 KB ]
[Conti] — 12/17/2021, 7:53:17 PM — Message 26/27
you checked file?
[Conti] — 12/20/2021, 9:20:03 PM — Message 27/27
in 2 days i' ll start publish your data
// Analysis

Analyst Observations

  • Conti was a major ransomware operation that effectively shut down in May 2022 after internal chat logs were leaked. Members dispersed to other groups including Royal, BlackBasta, and Karakurt.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →