// Context
About This Negotiation
This transcript documents a fog ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 60 messages exchanged over Unknown.
The initial ransom demand was $800,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — Friday, 27 September 2024 13:24:06 — Message 1/60
Hello, we found several of our systems encrypted with your ransomware. Can we talk about resolving this?
[fog] — Friday, 27 September 2024 14:06:37 — Message 2/60
hi
[fog] — Friday, 27 September 2024 14:07:03 — Message 3/60
I will give you details soon and we will talk
[fog] — Friday, 27 September 2024 14:15:28 — Message 4/60
[provides a compressed RAR files list]
this is what's been taken
[Victim] — Friday, 27 September 2024 16:36:06 — Message 5/60
We will need some time to take a look at this. In the mean time how would we get our systems decrypted?
[fog] — Friday, 27 September 2024 22:14:03 — Message 6/60
when you pay you receive decrypter to fix your systems
[fog] — Friday, 27 September 2024 22:14:25 — Message 7/60
I will tell you the price for decrypter soon
[Victim] — Sunday, 29 September 2024 19:12:47 — Message 8/60
How much would the decrypter cost? Can you confirm that our files would be deleted from your servers and that you will not publish our name or share the data?
[fog] — Sunday, 29 September 2024 20:55:39 — Message 9/60
yes I can confirm your files will be deleted and your name will not be published
[fog] — Sunday, 29 September 2024 20:56:09 — Message 10/60
I will tell you price soon
[fog] — Tuesday, 01 October 2024 11:24:46 — Message 11/60
If you want your data fully decrypted and the files we stole removed from our source, you will have to pay a fee. We will also be able to provide a security report and explain how we did it to get in. The bosses are demanding $800,000 for said services.
[fog] — Wednesday, 02 October 2024 12:47:10 — Message 12/60
Do we work?
[Victim] — Wednesday, 02 October 2024 15:17:22 — Message 13/60
$800,000 is too high. We are looking to reach an agreement and can offer $150,000 to get this finished quickly.
[fog] — Wednesday, 02 October 2024 15:47:34 — Message 14/60
There's no way we're going to agree to that amount. I don't think we can even give you a $150,000 discount. our demand is more than reasonable in your case. I will talk to the bosses
[fog] — Wednesday, 02 October 2024 20:15:53 — Message 15/60
bosses agreed to take 715k for everything
[Victim] — Thursday, 03 October 2024 16:10:09 — Message 16/60
How do we know the decrypter will work? Could you decrypt some files for us so we can be sure this will work on our systems
[fog] — Thursday, 03 October 2024 16:13:58 — Message 17/60
yes
[fog] — Thursday, 03 October 2024 16:16:09 — Message 18/60
give me a few
[Victim] — Admin 18:46:52 — Message 19/60
[provides a zip archive of files to decrypt]
there are a few small encrypted files in here
[fog] — Friday, 04 October 2024 08:16:51 — Message 20/60
give me some time
[fog] — Friday, 04 October 2024 09:57:54 — Message 21/60
[provides 5 decrypted files]
[Victim] — Saturday, 05 October 2024 13:54:06 — Message 22/60
Thank you. Our business isn't doing as well as we used to and we don't have insurance to cover this. We can't afford anywhere near that amount. We would still like to resolve this, but it needs to be close to our previous offer
[fog] — Saturday, 05 October 2024 16:35:23 — Message 23/60
I cant close the case at your previous offer
[fog] — Saturday, 05 October 2024 16:36:35 — Message 24/60
you need to add something to your offer
[Victim] — Monday, 07 October 2024 10:39:33 — Message 25/60
Cash is really tight for us, we are doing all we can but can only raise our offer to $175,000.
[fog] — Monday, 07 October 2024 11:30:12 — Message 26/60
I talked to the bosses. $500,000 and we can end this today. I don't think that you will get any better deal
[Victim] — Tuesday, 08 October 2024 15:27:22 — Message 27/60
We simply cannot afford that. We have rebuilt most of our systems without the decrypter. Can we agree at $200,000 today?
[fog] — Tuesday, 08 October 2024 16:09:59 — Message 28/60
bosses agree to take 350k today
[fog] — Tuesday, 08 October 2024 16:10:24 — Message 29/60
this is the best bet price for the situation
[fog] — Tuesday, 08 October 2024 16:10:51 — Message 30/60
tell me when ready to make payment
[fog] — Tuesday, 08 October 2024 22:09:49 — Message 31/60
just take one last step, and we'll put this behind us.
[fog] — Tuesday, 08 October 2024 22:14:01 — Message 32/60
bosses can take one last step and decrease to 300k. the wallet is [redacted]
[fog] — Wednesday, 09 October 2024 19:05:01 — Message 33/60
hi
[fog] — Wednesday, 09 October 2024 19:05:12 — Message 34/60
are you leaving me?
[fog] — Wednesday, 09 October 2024 19:06:14 — Message 35/60
tell me should I wait the money today or what
[fog] — Thursday, 10 October 2024 11:40:41 — Message 36/60
I need your decision guys.
[fog] — Thursday, 10 October 2024 11:40:56 — Message 37/60
this week we have to close your case
[Victim] — Thursday, 10 October 2024 16:40:18 — Message 38/60
We can't go that high, we can offer $225,000
[fog] — Thursday, 10 October 2024 18:42:18 — Message 39/60
I can't take 225k
[fog] — Thursday, 10 October 2024 18:43:06 — Message 40/60
confirm 250k to me and I will make my bosses take the offer 250k
[fog] — Thursday, 10 October 2024 18:43:25 — Message 41/60
we can do that today only
[fog] — Friday, 11 October 2024 12:00:52 — Message 42/60
hello. what is your decision?
[Victim] — Friday, 11 October 2024 14:52:25 — Message 43/60
ok we will pay $250,0000, can you confirm you will provide a decrypter and you will delete all our data? We will need some time to arrange the payment
[fog] — Friday, 11 October 2024 15:48:03 — Message 44/60
I can confirm that you will receive the .exe files that you will need to run on your systems (win or esxi) to decrypt your files. We guarantee that you will be able to recover all the encrypted data. We will give you a deletion log file which means the files we stole .were removed from our source.
[fog] — Friday, 11 October 2024 15:49:09 — Message 45/60
Please let me know when the money has been sent
[fog] — Saturday, 12 October 2024 10:15:05 — Message 46/60
hi
[fog] — Saturday, 12 October 2024 10:15:34 — Message 47/60
can you tell me when are you going to make payment?
[Victim] — Monday, 14 October 2024 18:36:15 — Message 48/60
we are sending a small amount to check it works ok. Can you confirm when you receive it?
[fog] — Monday, 14 October 2024 18:58:26 — Message 49/60
yes send please
[fog] — Monday, 14 October 2024 20:46:27 — Message 50/60
I received 0.0001 btc. you can send the full amount now
[Victim] — Tuesday, 15 October 2024 14:53:17 — Message 51/60
we are arranging the bitcoin for the full amount and will let you know when we are making the payment
[fog] — Tuesday, 15 October 2024 15:03:10 — Message 52/60
waiting, thanks
[Victim] — Tuesday, 15 October 2024 17:27:42 — Message 53/60
we've sent the payment
[fog] — Admin 18:20:08 — Message 54/60
[provides the decryptor in a 7zip compressed file]
Windows
unlocker.exe -nomutex -console -target \\SERVER\C$
unlocker.exe -nomutex -console -target C:\
Esxi \ LINUX
chmod +x unlocker_key
./unlocker_key --id [redacted] --log --target "/vmfs/volumes/"
[Victim] — Monday, 21 October 2024 09:51:08 — Message 55/60
Hi, we are working through recovering our systems but we cannot access our domain controller as you have changed the administrator password. Please could you tell us what the password for the domain administrator account was changed to?
[fog] — Monday, 21 October 2024 09:56:03 — Message 56/60
all domain admins passwords "gotochatplease"
[Victim] — Wednesday, 30 October 2024 09:17:47 — Message 57/60
Can you still provide us a report on how you got access into our network? Also can you confirm you have deleted all our data now?
[fog] — Wednesday, 30 October 2024 10:07:59 — Message 58/60
I will tell you soon
[Victim] — Monday, 04 November 2024 09:10:19 — Message 59/60
Do you have any update please?
[fog] — Monday, 04 November 2024 10:14:29 — Message 60/60
You data has been deleted. Access to your network was gained through a phishing mail. Your staff should be more vigilant when downloading and opening unfamiliar files. We recommend that you implement the following measures to protect your corporate network:
1) Enforce passwords on local and domain admins. Complicate group policy on passwords for all users;
2) Using the group "Protected users";
3) Use centralised management of antivirus protection;
4) Inform users not to open suspicious emails and files;
5) Updating software and OS to current versions;
6) Set up permission delegations in the Active Directory;
7) Install an application to monitor activity in the Active Directory;
8) Use Vmware Esxi ver. 7.0 or more current.
Our team guarantees that any data taken from your network will not be disclosed, sold or published. Of course, this dialogue will also remain confidential.