// Context
About This Negotiation
This transcript documents a Darkside ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 24 messages exchanged over Unknown.
The initial ransom demand was $25,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 1 day ago — Message 1/24
Hello. My files are encrypted. Can you help?
[Darkside] — 1 day ago — Message 2/24
Hello
[Darkside] — 1 day ago — Message 3/24
Yes, we can decrypt your all files
[Darkside] — 19 hours ago — Message 4/24
When will you pay? You don't have much time left to pay with a discount
[Victim] — 18 hours ago — Message 5/24
Thank you. We are working as fast as we can. Can you please decrypt
the following files so we know that decryption is going to work?
[redacted]_L.jpg.[redacted]
60.85 kB
[Victim] — 18 hours ago — Message 6/24
File:
[redacted]_M.jpg.[redacted]
14.8 kB
[Victim] — 18 hours ago — Message 7/24
File:
[redacted]_T.jpg.[redacted]
8.81 kB
[Darkside] — 15 hours ago — Message 8/24
Yes. We will send the decrypted files shortly
[Darkside] — 13 hours ago — Message 9/24
First
[redacted].jpg
60.71 kB
[Darkside] — 13 hours ago — Message 10/24
Second
[redacted].jpg
14.66 kB
[Darkside] — 13 hours ago — Message 11/24
Third
[redacted]_T.jpg
8.67 kB
[Victim] — 13 hours ago — Message 12/24
Thank you for decrypting the files. Our business has suffered during
the COVID pandemic. We can pay $184,922 in Bitcoin to restore our
computers.
[Darkside] — 12 hours ago — Message 13/24
If you pay within the next 24 hours we can give you $25,000 discount, but not more.
[Victim] — 12 hours ago — Message 14/24
We searched your group and people say you take data. Did you take
any of our data? We can pay $226,000 in Bitcoin to restore our
computers.
[Darkside] — 11 hours ago — Message 15/24
$250,000 and we will finish this very quickly
[Victim] — 11 hours ago — Message 16/24
Thank you. I will bring this to my management now. Are you able to tell me if your group took any data from our computers?
[Darkside] — 11 hours ago — Message 17/24
We didn't take data.
[Victim] — 10 hours ago — Message 18/24
Thank you. We accept your offer of $250,000. Can you please confirm
the Bitcoin wallet. We have [redacted]
[Darkside] — 10 hours ago — Message 19/24
Confirmed.
[Darkside] — 9 hours ago — Message 20/24
Write after sending payment.
[Victim] — 9 hours ago — Message 21/24
Payment sent, please confirm that it was received.
[Darkside] — 9 hours ago — Message 22/24
Linux decryption instruction:
1. Upload decryptor to esxi.
2. Set run permissions: chmod 777 decryptor
3. Run decryptor: ./decryptor
lin_decryptor.out
2.3 MB
[Darkside] — 9 hours ago — Message 23/24
The decryptor works in 2 modes:
1. GUI
2. Console
Three functions are available in GUI mode:
1. "DECRYPT ALL" - search and decrypt ALL encrypted files on the local
PC and on network resources (Shares), where this PC has access.
2. "DECRYPT FOLDER" - decrypts files in the specified folder, which you
can select in the "Browse for folders" window or drag and drop the
folder into the decryptor window.
3. "DECRYPT ONE FILE" - decrypts a single file, which you can open in
the "Open" window or drag and drop the encrypted file into the decryptor
window.
IMPORTANT!
Extension of encrypted files may not coincide with the extension of files, which the decryptor suggests to open!
To open encrypted files with other extensions, in the "Open" window
select, in the lower right corner of "All Files (*. *)" or just drag and
drop the given file into the decryptor window.
File extension does not affect the decryption of file!
Console mode has two parameters:
1. "-all" - search and decrypt ALL encrypted files on the local PC and on network resources (Shares), where this PC has access.
You can also use Group Policy to quickly decrypt your entire network.
2. "-path" - decrypts files in the specified folder or a single file.
3. Dragging and dropping an encrypted file or folder with encrypted files onto the decryptor file.
In this mode, the console window will open automatically, which will display the decryption process.
Command line examples:
> decryptor.exe -all
> decryptor.exe -path C:\Folder
> decryptor.exe -path C:\Folder\file.txt.[redacted]
win_decryptor.exe
76.5 kB
[Darkside] — 9 hours ago — Message 24/24
You have 48 hours for support. After that, this chat will be deleted.