// Ransomware Negotiation Transcript
Darkside Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Darkside ransomware negotiation with a redacted victim organisation. The negotiation consisted of 63 messages exchanged.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Is this support?
Yes, of course whats ups?
Tomorrow we will publicate your data
Tomorrow? We just got more information on this because IT didn't
tell us about this site. We want to learn more about your offering.
Tomorrow, of course , we done attack week ago, you didnt came
online, tomorrow we will add local mass media, and attack your
infrastructure by IP. thats our plan, on today, because you didnt start
dialog with us.
We didn't even know what was going on and we were misinformed. We
can't pay by tomorrow since we're just learning about this. Can you give
us more time so that we can handle this appropriately?
Your price is settled up, you are small client for us. Make your
choice today - you will be listed, or close question with us.
In case of close question nobody will now about this issue.
We can't pay $600,000 by tomorrow. We're not sure what we can pay
but we will certainly see what is available. Can you show us some data
that you have?
Do we have your word that you will not list us tomorrow?
We have full dumped your network by data, of course we can show
After payment you will get full file tree of stolen data.
After payment you will get: decrypt your system (network) file tree
of data, and i will explain your black holes, (network audit) discount
we cant make, sorry. You came too late on dialog, thats your problem.
We will not list your tomorrow, in case of agreement.
Sorry thats our buisness, we are only interested in to take money.
Okay, that is understood, but can we see anything that you have taken?
You are very small client, see your infrastructure, after agreement and payment
1) we will decrypt instantly your network
2) if you need - provide file tree , with all taken files
3) delete data from our servers
Some random files for proof:
[REDACTED URL]
[REDACTED URL]
pass: [redacted]
Don`t waste our time, how we don`t wasting your. Rules for all clients same.
Thank for understanding
We're not here to waste time. We're sorry for joining late. We'll review and get back to you.
Files where randomizded.
When will be done payment?? Or We should continue attacks ?
We are still reviewing the information. We only found out about the
$600,000 price. Our intention is not to push this to the side, but we
need some time to figure out what we can afford. This is the first time
we are dealing with this type of issue.
Whats your offer?
I know your resources very well, after your offer i will explain you what is what
We have a meeting set for tomorrow morning to discuss finances. Can we get back to you in the morning?
yes price you can see, i dont know about you want to talk, search
money. and we will do things, in other cay we are not interested in
dialog.
money money, can help you
Dont waste your time, as our. Its not our politic how we working, if
you have money, we can talk ,if you dont have, than we can go by sides.
we doesnt work like this
Price you can see in your administration panel.
Yes, but we will get back to you in the morning after the meeting. Is this okay?
Yes, OK.
As promised, we spoke today and can make an initial offer. It's been
a tough year for us and we're a tiny company. We hope you can see that.
Based on a few loans we received, we can pay you $110,000. If this
price is not suitable, then we'll need to look at outside sources for
cash. We're a small shop and don't have access to easy funding.
Then if your business doesnt gaving you profit, you should think about - close business like this.
We can do our best, give you some discount, but not big like you want
We just need a price we can afford. What type of discount can you give us?
10%.
So $540,000?
If that's the case, then we really have a lot of work to do here. We can't take on so much debt considering our size.
Are there any other files you can provide us so that we have more bargaining power with lenders?
We have already given files and a good discount.
You're asking 5x more than what we can afford to pay. We're putting
ourselves on the line and potentially in more debt as we speak with
lenders. We can't take all this on if we don't know what we're paying
for. All we need is some help from you.
Last evidence pack, other requests will be regarded as a waste of our time.
The package contains a variety of documents from different directories
-------
457 Megabytes
Download : [REDACTED URL]
Password : FKL59MBY}c?Uox~d$4QCNnVAE0@yOvmC
We're looking. Thanks
We see the data but we can't just print money and pay. We really
need a few days to see what other funding options we have. Can we get
back to you early next week with our options?
OK.
Thanks
We will have more news for you later today
Your price is still not possible for us but we do have a better
offer for you. We have an initial agreement with a funding source and
can pay you $200,000. You are asking a lot from a company of our size
and we are giving you all we can. Please let us know
Thanks for your offer, last what we can offer - is change price
right now to 250 000 USD , and you will pay money in 24 hours, other
offers we don`t have, because time cost money. We are doing very big
discount for you. After payment you will get - full decrypt of your
systems, and we will delete all your data from our servers.
Yes, this is a very big discount indeed. It's still more money than
what we have but we'll get back to you ASAP tomorrow once we review.
Thank you.
We pleasure your opinion - tomorrow we waiting payment from your
side. Discount is very big - we never do discounts like this - we work
on mathematical algorithms. As well this discount where decided by team -
its not agreement by one person.
We done our best. We changing price right now, tomorrow we waiting for payment.
Have a nice day
Refresh page, price changed - tomorrow we waiting for money. Good luck
We held an emergency meeting. The lender was not happy but they are
discussing this and they understand the urgency. We told them that we
need to hear from them today but they have to get their own approval
first. Can we reach out to you tomorrow with their decision? We really
don't want to let this slip away.
We told, our rules, please guys be serious, situation by your side,
not by our. We already get agreement in our team about price witch we
done, it`s very good discount we know that in your hands have
possibility to pay amount of money witch we getting agreement. Price
where settled up, you can start pay by parts, it`s not problem.
We completely understand. We just can't commit to a price until we
speak to the lender, because they're in control of the money. They'll
have news for us tomorrow.
Alright. The lender agreed! They're going to wire us the money
tomorrow and our bitcoin broker will be able to pay you early next week.
Can you confirm what we'll receive from you?
Your payment currency is XMR (monero) not bitcoins.
Can you confirm what we will receive from you?
Yes.
- Windows decryptor.
- Deleting data and blog post.
- Support for 2 days after decryption.
Okay we will be able to pay monero next week
What date?
Aiming for the 27th
Ok
If you don't contact us within the next 24 hours we will publish your data
// Analysis
Analyst Observations
- DarkSide is best known for the Colonial Pipeline attack in May 2021. The group shut down shortly after due to law enforcement pressure.