fog Ransomware Negotiation — Redacted Organisation

Hi

What are the instruction to restore our data?

Hi are you there?

What payment?

Any news?

Hello, we don't know how to make the payment or how to facilitate it for you. On the other hand, we are a very small company and cannot afford the payment you are mentioning. What options do we have? And about the three files what is the procedure?

We are willing to cooperate, but the amount requested is far beyond our capabilities as a small company. We can offer a smaller sum and pay it as soon as possible. Additionally, we need to clearly understand the payment process and the guarantees we have to securely recover our data. Please provide detailed instructions on how to proceed and assure us that we will receive all our data without further issues

What number do you mean?

We can offer $120,000 and want to be transparent, avoiding a prolonged negotiation. Additionally, we need to understand how to make the payment. We will provide several files for you to decrypt to verify your capabilities.

We are agreeable to proceeding with the following conditions: First, we will provide several encrypted files for you to decrypt as proof of your decryption capabilities. Following this, we will make an initial payment of $120,000 in exchange for the instructions and necessary tools to decrypt the rest of our systems. Once we have successfully recovered our data, we will make a final payment of $30,000. In return, we expect a report detailing how the attack was carried out and confirmation that all our data has been removed from your possession and any related systems

[provides a zip archive of encrypted files]

We couldn't find the file you mentioned, could you tell us where this file should be located and what it contains?

Isn't in this directory

We understand your position, but we must adhere to our agreed-upon model. We need to follow the steps we outlined previously: first providing a portion of the payment, receiving the necessary decryption instructions, and then completing the full payment upon confirmation. Additionally, specify which cryptocurrency it is for the payment.

Once the payment is made, how does the decryption process work? What guarantees do we have that all our data will be fully recovered and secured? We also want to understand what you will provide to us after the payment. Please understand that we are concerned due to our lack of experience with situations like this and need reassurance that everything will be resolved properly.

We need to finalize the financial and legal aspects on our end before proceeding with the payment. Once everything is ready and the payment is made, we will notify you immediately.

We are currently reviewing the payment method, and since we are not familiar with this process, we are unsure how to proceed. Could you explain how this is typically done and which services are usually used? We want to ensure that everything is handled correctly.

Thanks ,we are checking, but the registration process and validation will take some time.

The cryptocurrency purchase platform needs to verify the user, and this won't be completed until tomorrow. The process is turning out to be quite long and complex for us.

Sure

We have conducted an initial test to verify that the process we're following is correct. Could you confirm that you have received the first transfer of $5? Meanwhile, we are in the process of acquiring the total amount of cryptocurrency needed for the full payment, but it is taking some time.

Okay, we are in the process of obtaining the full amount. Once we have it, we will proceed with the transfer.

Once the payment is received, what are the next steps?

We are gathering the payment in the exchange, but we need to proceed gradually with the euro money transfers to the wallet. I believe we can have it ready in less than 48 hours. Maybe in 24 hours. I'll keep you informed.

From the moment we make the payment transfer, how long will it take you to send me the decryptors for Windows files and virtual machines? Will you send them here, or should I give you an email?

Hi, I already have the funds available. I'm going to make a small test transfer from this wallet, and then the rest will be ok?

Please give me 3 hours and we will proceed. I write to you here. Thank you.

Hi, we just did the test transfer. Please tell me everything is ok.

When you verify it we make the final large transfer.

ok Sr.

We proceed to make the payment. Can you confirm that I will have the decrypters instantly please?

You're online?

ok, thanks. wait a minute please

we are working on it, give me just 2 minutes. please prepare the decrypters to send me.

it's OK.

Transfer OK.

It has arrived, can you confirm it for me?

Thanks!

ok, sr.

OK, we'll try it out and I'll write to you if there are any questions or problems. Thanks.

[provides a PNG file] It gives us an error with the ESXI, I attach an image

maybe too many files on the machine?

we are having some problems. I leave you screenshots:[provides 2 PNG files]

I am attaching the files that we cannot decrypt. Let's see if you can help us since they are very important to be able to operate:[provides 3 TXT files]

We have carried out the test of specifying a machine instead of a folder and it does not give an error, but it does not decrypt either.

It is a very serious problem for us. Please, help.

For example, these files are impossible to decrypt (and they are small):[provides 8 .FOG files]

We are very concerned because those machines are the SAP and two other environments we use to operate the business. Without these environments, we cannot function. Let me tell you which machines they are:

1 - [redacted]-flat.vmdk 1 - [redacted].vmdk 0 - [redacted]-flat.vmdk 0 - [redacted]-flat.vmdk [redacted]-flat.vmdk [redacted]-flat.vmdk 0 - [redacted]-flat.vmdk 0 - [redacted].vmdk [redacted]-flat.vmdk [redacted]-ctk.vmdk

And swap files: vmx-[redacted].vswp vmx-0 - [redacted].vswp vmx-[redacted].vswp vmx-[redacted].vswp [redacted].vswp

And .vmsd file: 0 - [redacted].vmsd

And also many other files in .log format that are secondary and not needed to start the machines.

How can we solve this? Do you need me to share more files that we cannot decrypt?

I have shared some small files above that cannot be decrypted.

All the files we cannot decrypt are these (I already listed them above, but here they are again for your reference):

This is very urgent because we cannot operate the business without it. We have tried everything possible. We have tried decrypting locally, on other machines, specifying directory paths, and the final paths of the machines.

ok let's try it.

Using -- threads 16 and other parameters that we have tried does not work, I attach an image:[provides a PNG file]

Let's test the permissions issue of the second option. However, we run it as root.

We tried the third option yesterday and this morning and it doesn't work for us.

Now I'll tell you about the issue of permissions.

None of the options work.

Without these files we cannot operate, they are the core of the organization.

Do you want me to upload virtual machines to the cloud, or give you access to a system?

please help

OK sr. Thanks!!!![provides a .vswp.fog file]

I'm sending you this small file so that your team can analyze why the decrypter doesn't decrypt. We followed all your instructions. Let's see if you can try it in your environment. It's 83Mb of file so you don't have to pass anything bigger that is difficult to handle.

[provides a JPG file] In this image more information with the permissions:[provides another JPG file]

Thanks!!!!

OK, thank you very much for your attention. We will be waiting for your news.

In a few hours you will have the files in a repository. Does that seem okay to you? This way we will not be able to share so many gigabytes. Thank you very much, without these virtual machines our entire company cannot work. It is the core of the business.

Thank you very much

We almost have a machine uploaded to the cloud to share the link with you. We have uploaded a "small" 1.2Gb file of those that also cause problems and are on critical routes for us:

[REDACTED URL]

Give me a few minutes and I'll send you the link for the vdmk machine

Thank you for your help. Without these operational vdmk machines our company would go bankrupt.

We have the vdmk uploaded to the cloud. I am sending you credentials:

sftp://[redacted].vmdk.fog

Password: [redacted]

We are waiting for your news. With these files and the 83Mb one I sent you earlier that is also causing problems, I think your programmers could see what is wrong with the decrypter.

We are very concerned because all the critical files of vmdk virtual machines are in this situation. (8 machines)

Thanks

Hi, sorry to bother you. I wanted to know if we'll receive any updates today on how to resolve the file decryption issues. We are overwhelmed as we cannot decrypt files like the ones I mentioned in the conversation. Thank you, sorry for the insistence.

Please, if you don't help us, our company will close, and we will lose our jobs.

Thanks!!!!

Can we turn off the SFTP machine where we have uploaded the .vmdk file?

We can leave it active if necessary.

Ok thanks

OK,wait a moment.