// Ransomware Negotiation Transcript

fog Ransomware Negotiation — Redacted Organisation

73Messages
UnknownDuration
$290,000Initial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a fog ransomware negotiation with a redacted victim organisation. The negotiation consisted of 73 messages exchanged.

The initial ransom demand was $290,000. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — Friday, 30 August 2024 16:56:22 — Message 1/73
We have found what appears to be your notes on our systems with links that we have followed here. What are the next steps and what is going on?
[fog] — Friday, 30 August 2024 17:35:20 — Message 2/73
Hello. Wait please. I'll get back with details.
[Victim] — Sunday, 01 September 2024 16:57:05 — Message 3/73
Hello? Any news?
[fog] — Monday, 02 September 2024 07:47:38 — Message 4/73
[provides a plain TXT files list] that's what's been taken from your network
[fog] — Monday, 02 September 2024 13:45:34 — Message 5/73
We can decrypt your systems in a couple of hours for only $290,000. Just send us 3 random encrypted files to be sure - we'll decrypt them for free.
[Victim] — Wednesday, 04 September 2024 19:37:39 — Message 6/73
Can you send us the files from the list we have provided below? 08/29/2024 04:28 AM 98,075 [redacted].pdf 08/29/2024 06:59 AM 165 [redacted].xlsx 08/29/2024 03:50 AM 15,571 [redacted].xlsx 08/29/2024 03:59 AM 28,381 [redacted].docx 08/29/2024 04:01 AM 32,193 [redacted].pdf
[fog] — Wednesday, 04 September 2024 20:11:55 — Message 7/73
[provides a 7zip compressed archive]
[Victim] — Sunday, 08 September 2024 13:19:56 — Message 8/73
Hello, we are still working on gathering encrypted files small enough to send over to you, but it's almost impossible to find any due to the way all of our systems were locked up in the first place. We hope to have something soon, but we will reach back out once we do.
[fog] — Sunday, 08 September 2024 14:40:00 — Message 9/73
I can wait until Monday only
[Victim] — Monday, 09 September 2024 23:59:59 — Message 10/73
Hello, we are still trying to pull some sample encrypted files to send to you but we are running into a lot of issues because our systems aren't available to grab the files off of. We will hopefully have a file or two tomorrow to send over.
[fog] — Tuesday, 10 September 2024 08:57:22 — Message 11/73
I hope so
[fog] — Tuesday, 10 September 2024 08:57:29 — Message 12/73
I cant wait more
[Victim] — Tuesday, 10 September 2024 13:35:13 — Message 13/73
Ok, we will have those files over today.
[fog] — Tuesday, 10 September 2024 14:02:13 — Message 14/73
I wait
[Victim] — Wednesday, 11 September 2024 13:49:27 — Message 15/73
[provides 3 encrypted files] Please see the attached files.
[fog] — Wednesday, 11 September 2024 14:06:55 — Message 16/73
[provides 2 decrypted files]
[fog] — Admin 14:42:56 — Message 17/73
its time to perform payment
[Victim] — Thursday, 12 September 2024 01:04:56 — Message 18/73
Hello, thank you for your patience to this point as we try and navigate our way through this. We have been working at verifying and reviewing everything you’ve given us and while we want to get this resolved, we simply don’t have 290,000 to send you. Is there any discount from you to be had so that we can maybe get this to some sort of resolution with you?
[fog] — Thursday, 12 September 2024 10:05:00 — Message 19/73
if you make payment by Saturday evening I can take 255k to get to a resolution
[Victim] — Thursday, 12 September 2024 23:25:23 — Message 20/73
Hello, thank you for your patience to this point as we try and navigate our way through this. We have been working at verifying and reviewing everything you’ve given us and while we want to get this resolved, we simply don’t have 290,000 to send you. Is there any discount from you to be had so that we can maybe get this to some sort of resolution with you?
[fog] — Friday, 13 September 2024 08:28:37 — Message 21/73
if you make payment today evening I can take 255k to get to a resolution
[Victim] — Monday, 16 September 2024 13:32:42 — Message 22/73
Thank you for the reduction, but even at that number it’s more than we have on hand. Can you please give us a number that we can take back to the firm’s leadership and see what can be done?
[fog] — Monday, 16 September 2024 14:41:41 — Message 23/73
what did you leadership said about 255k?
[fog] — Monday, 16 September 2024 14:42:30 — Message 24/73
what do you have on hand?
[fog] — Wednesday, 25 September 2024 14:28:27 — Message 25/73
I see
[fog] — Wednesday, 25 September 2024 14:29:22 — Message 26/73
I will leak your files
[Victim] — Wednesday, 09 October 2024 13:18:41 — Message 27/73
We are still interested in getting a decryptor to unlock a small portion of our data, but it’s not nearly worth 255,000. What is the lowest number you will take?
[fog] — Wednesday, 09 October 2024 14:19:51 — Message 28/73
I will wake 255k
[fog] — Wednesday, 09 October 2024 14:20:07 — Message 29/73
what is it worth?
[fog] — Wednesday, 09 October 2024 14:20:16 — Message 30/73
what would you say?
[Victim] — Thursday, 10 October 2024 14:34:22 — Message 31/73
Hello, we are willing to pay 25,000 so we can both move on from this. That’s about what it would take for us to just completely reconstitute the data anyway.
[fog] — Thursday, 10 October 2024 15:01:32 — Message 32/73
how much would it take for you to keep this situation secret?
[Victim] — Thursday, 10 October 2024 16:36:05 — Message 33/73
$25,000 is what we have and could send you as soon as possible
[fog] — Thursday, 10 October 2024 18:34:58 — Message 34/73
you don't care if your files leaked?
[fog] — Thursday, 10 October 2024 18:35:11 — Message 35/73
no I don't take 25k
[fog] — Thursday, 10 October 2024 18:35:37 — Message 36/73
I can take 150k if you need decrypter only
[Victim] — Wednesday, 16 October 2024 16:50:19 — Message 37/73
While we appreciate the reduction for just the decryptor, we would also like for our data to be deleted from your possession and for proof of that being deleted. We can come up on our price, but we don’t have what you are asking for. We can do $60k that we can send immediately, and is more than double what we offered before. But that’s all we have onhand to send. Please consider our offer and we will get the process started of sending that money over to you.
[fog] — Wednesday, 16 October 2024 17:23:38 — Message 38/73
$200,000 for data deletion and unlockers. You have the last chance
[Victim] — Saturday, 26 October 2024 20:09:12 — Message 39/73
Hello, it’s taken us quite a while, but we have been able to source an additional 40,000 and we can now offer you 100,000 to get this done as soon as possible. This has been very stressful for us and we have exhausted all avenues of getting additional funding. If you accept, we will get the process started to send the money to you ASAP.
[fog] — Sunday, 27 October 2024 08:52:28 — Message 40/73
hi
[fog] — Sunday, 27 October 2024 08:54:39 — Message 41/73
I cannot accept this for both data and unlockers but ok I can accept that for unlockers only
[fog] — Sunday, 27 October 2024 08:54:49 — Message 42/73
175k for everything would let me get it resolved today
[fog] — Wednesday, 30 October 2024 12:23:39 — Message 43/73
hi
[fog] — Wednesday, 30 October 2024 12:26:36 — Message 44/73
are you leaving me?
[Victim] — Thursday, 31 October 2024 14:49:23 — Message 45/73
Honestly, it's taken us this long just to collect what we've been able to collect and at the price that you're wanting, we'd just rather put the extra 75k into rebuilding the data we're missing. We've been trying to come to an agreement here, but we've exhausted all options and this is what we have.
[fog] — Thursday, 31 October 2024 15:02:54 — Message 46/73
Does it mean our deal is off?
[fog] — Thursday, 31 October 2024 15:03:25 — Message 47/73
Do you understand that your files will be leaked?
[fog] — Tuesday, 05 November 2024 13:32:00 — Message 48/73
[REDACTED URL]
[Victim] — Tuesday, 05 November 2024 17:35:37 — Message 49/73
Hello, the deal is not off. We have offered what we think is a generous offer to have a small portion of our data unlocked that we weren’t able to retrieve from backups. If you are going to walk away from 100,000 just to release our data, then we will have no choice but to reconstruct the data with that 100,000 and move on.
[fog] — Tuesday, 05 November 2024 18:03:59 — Message 50/73
hi
[fog] — Tuesday, 05 November 2024 18:04:17 — Message 51/73
ok send 100k here [redacted] and we get this resolved
[fog] — Tuesday, 05 November 2024 18:04:27 — Message 52/73
tell me when ready to send
[Victim] — Wednesday, 06 November 2024 17:18:51 — Message 53/73
We are in the process of converting the funds now. I will reach back out once we have that process complete. Just so we are clear, you will provide us with a decryptor, proof of you deleting our data, and a report on how you got into our network?
[fog] — Wednesday, 06 November 2024 19:06:05 — Message 54/73
Yes, we will provide you with everything you outlined.
[fog] — Friday, 08 November 2024 16:30:25 — Message 55/73
Hello. How long should I wait? Next week I will have to leak your files.
[Victim] — Saturday, 09 November 2024 18:24:46 — Message 56/73
Payment has been made. Can you please provide the items as soon as possible?
[fog] — Saturday, 09 November 2024 19:07:52 — Message 57/73
received. wait please
[Victim] — Wednesday, 13 November 2024 14:30:32 — Message 58/73
Hello, can you please provide the items to us?
[fog] — Admin 14:43:43 — Message 59/73
Windows unlocker.exe -nomutex -console -target \\SERVER\C$ unlocker.exe -nomutex -console -target C:\ Esxi \ LINUX chmod +x unlocker_key ./unlocker_key --id [redacted] --log --target "/vmfs/volumes/"
[Victim] — Sunday, 24 November 2024 22:52:40 — Message 60/73
Can you help us out with some files that don't see to be decrypting? I've attached them.
[fog] — Monday, 25 November 2024 09:44:09 — Message 61/73
wait
[Victim] — Monday, 25 November 2024 14:32:18 — Message 62/73
The decryptor that we have isn't working on these files. Can you send me a decryptor that works?
[fog] — Monday, 25 November 2024 14:50:28 — Message 63/73
Give us error logs and explain your actions in more details.
[Victim] — Tuesday, 26 November 2024 14:22:26 — Message 64/73
These are the best logs we can find.
[Victim] — Tuesday, 26 November 2024 14:24:02 — Message 65/73
We're just attempting to run the decryptor and it's simply not decrypting some of the files.
[fog] — Tuesday, 26 November 2024 16:44:33 — Message 66/73
wait
[fog] — Tuesday, 26 November 2024 16:46:09 — Message 67/73
are you trying to decrypt files on windows?
[Victim] — Tuesday, 26 November 2024 20:20:24 — Message 68/73
Yes
[fog] — Wednesday, 27 November 2024 12:27:26 — Message 69/73
the problem is the path to files is too long
[fog] — Wednesday, 27 November 2024 12:28:23 — Message 70/73
the decrypter works correctly
[fog] — Wednesday, 27 November 2024 12:28:55 — Message 71/73
try to fix files in a different folder
[Victim] — Wednesday, 27 November 2024 16:19:10 — Message 72/73
We shortened the path and it's still not working
[fog] — Wednesday, 27 November 2024 19:32:06 — Message 73/73
give us the log as well
// Analysis

Analyst Observations

  • This transcript documents a fog ransomware negotiation. The exchange provides insight into the group's negotiation tactics and communication style.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →