// Ransomware Negotiation Transcript
Darkside Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Darkside ransomware negotiation with a redacted victim organisation. The negotiation consisted of 24 messages exchanged.
The initial ransom demand was $25,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello. My files are encrypted. Can you help?
Hello
Yes, we can decrypt your all files
When will you pay? You don't have much time left to pay with a discount
Thank you. We are working as fast as we can. Can you please decrypt
the following files so we know that decryption is going to work?
[redacted]_L.jpg.[redacted]
60.85 kB
File:
[redacted]_M.jpg.[redacted]
14.8 kB
File:
[redacted]_T.jpg.[redacted]
8.81 kB
Yes. We will send the decrypted files shortly
First
[redacted].jpg
60.71 kB
Second
[redacted].jpg
14.66 kB
Third
[redacted]_T.jpg
8.67 kB
Thank you for decrypting the files. Our business has suffered during
the COVID pandemic. We can pay $184,922 in Bitcoin to restore our
computers.
If you pay within the next 24 hours we can give you $25,000 discount, but not more.
We searched your group and people say you take data. Did you take
any of our data? We can pay $226,000 in Bitcoin to restore our
computers.
$250,000 and we will finish this very quickly
Thank you. I will bring this to my management now. Are you able to tell me if your group took any data from our computers?
We didn't take data.
Thank you. We accept your offer of $250,000. Can you please confirm
the Bitcoin wallet. We have [redacted]
Confirmed.
Write after sending payment.
Payment sent, please confirm that it was received.
Linux decryption instruction:
1. Upload decryptor to esxi.
2. Set run permissions: chmod 777 decryptor
3. Run decryptor: ./decryptor
lin_decryptor.out
2.3 MB
The decryptor works in 2 modes:
1. GUI
2. Console
Three functions are available in GUI mode:
1. "DECRYPT ALL" - search and decrypt ALL encrypted files on the local
PC and on network resources (Shares), where this PC has access.
2. "DECRYPT FOLDER" - decrypts files in the specified folder, which you
can select in the "Browse for folders" window or drag and drop the
folder into the decryptor window.
3. "DECRYPT ONE FILE" - decrypts a single file, which you can open in
the "Open" window or drag and drop the encrypted file into the decryptor
window.
IMPORTANT!
Extension of encrypted files may not coincide with the extension of files, which the decryptor suggests to open!
To open encrypted files with other extensions, in the "Open" window
select, in the lower right corner of "All Files (*. *)" or just drag and
drop the given file into the decryptor window.
File extension does not affect the decryption of file!
Console mode has two parameters:
1. "-all" - search and decrypt ALL encrypted files on the local PC and on network resources (Shares), where this PC has access.
You can also use Group Policy to quickly decrypt your entire network.
2. "-path" - decrypts files in the specified folder or a single file.
3. Dragging and dropping an encrypted file or folder with encrypted files onto the decryptor file.
In this mode, the console window will open automatically, which will display the decryption process.
Command line examples:
> decryptor.exe -all
> decryptor.exe -path C:\Folder
> decryptor.exe -path C:\Folder\file.txt.[redacted]
win_decryptor.exe
76.5 kB
You have 48 hours for support. After that, this chat will be deleted.
// Analysis
Analyst Observations
- DarkSide is best known for the Colonial Pipeline attack in May 2021. The group shut down shortly after due to law enforcement pressure.