// Ransomware Negotiation Transcript
fog Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a fog ransomware negotiation with a redacted victim organisation. The negotiation consisted of 60 messages exchanged.
The initial ransom demand was $800,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello, we found several of our systems encrypted with your ransomware. Can we talk about resolving this?
hi
I will give you details soon and we will talk
[provides a compressed RAR files list]
this is what's been taken
We will need some time to take a look at this. In the mean time how would we get our systems decrypted?
when you pay you receive decrypter to fix your systems
I will tell you the price for decrypter soon
How much would the decrypter cost? Can you confirm that our files would be deleted from your servers and that you will not publish our name or share the data?
yes I can confirm your files will be deleted and your name will not be published
I will tell you price soon
If you want your data fully decrypted and the files we stole removed from our source, you will have to pay a fee. We will also be able to provide a security report and explain how we did it to get in. The bosses are demanding $800,000 for said services.
Do we work?
$800,000 is too high. We are looking to reach an agreement and can offer $150,000 to get this finished quickly.
There's no way we're going to agree to that amount. I don't think we can even give you a $150,000 discount. our demand is more than reasonable in your case. I will talk to the bosses
bosses agreed to take 715k for everything
How do we know the decrypter will work? Could you decrypt some files for us so we can be sure this will work on our systems
yes
give me a few
[provides a zip archive of files to decrypt]
there are a few small encrypted files in here
give me some time
[provides 5 decrypted files]
Thank you. Our business isn't doing as well as we used to and we don't have insurance to cover this. We can't afford anywhere near that amount. We would still like to resolve this, but it needs to be close to our previous offer
I cant close the case at your previous offer
you need to add something to your offer
Cash is really tight for us, we are doing all we can but can only raise our offer to $175,000.
I talked to the bosses. $500,000 and we can end this today. I don't think that you will get any better deal
We simply cannot afford that. We have rebuilt most of our systems without the decrypter. Can we agree at $200,000 today?
bosses agree to take 350k today
this is the best bet price for the situation
tell me when ready to make payment
just take one last step, and we'll put this behind us.
bosses can take one last step and decrease to 300k. the wallet is [redacted]
hi
are you leaving me?
tell me should I wait the money today or what
I need your decision guys.
this week we have to close your case
We can't go that high, we can offer $225,000
I can't take 225k
confirm 250k to me and I will make my bosses take the offer 250k
we can do that today only
hello. what is your decision?
ok we will pay $250,0000, can you confirm you will provide a decrypter and you will delete all our data? We will need some time to arrange the payment
I can confirm that you will receive the .exe files that you will need to run on your systems (win or esxi) to decrypt your files. We guarantee that you will be able to recover all the encrypted data. We will give you a deletion log file which means the files we stole .were removed from our source.
Please let me know when the money has been sent
hi
can you tell me when are you going to make payment?
we are sending a small amount to check it works ok. Can you confirm when you receive it?
yes send please
I received 0.0001 btc. you can send the full amount now
we are arranging the bitcoin for the full amount and will let you know when we are making the payment
waiting, thanks
we've sent the payment
[provides the decryptor in a 7zip compressed file]
Windows
unlocker.exe -nomutex -console -target \\SERVER\C$
unlocker.exe -nomutex -console -target C:\
Esxi \ LINUX
chmod +x unlocker_key
./unlocker_key --id [redacted] --log --target "/vmfs/volumes/"
Hi, we are working through recovering our systems but we cannot access our domain controller as you have changed the administrator password. Please could you tell us what the password for the domain administrator account was changed to?
all domain admins passwords "gotochatplease"
Can you still provide us a report on how you got access into our network? Also can you confirm you have deleted all our data now?
I will tell you soon
Do you have any update please?
You data has been deleted. Access to your network was gained through a phishing mail. Your staff should be more vigilant when downloading and opening unfamiliar files. We recommend that you implement the following measures to protect your corporate network:
1) Enforce passwords on local and domain admins. Complicate group policy on passwords for all users;
2) Using the group "Protected users";
3) Use centralised management of antivirus protection;
4) Inform users not to open suspicious emails and files;
5) Updating software and OS to current versions;
6) Set up permission delegations in the Active Directory;
7) Install an application to monitor activity in the Active Directory;
8) Use Vmware Esxi ver. 7.0 or more current.
Our team guarantees that any data taken from your network will not be disclosed, sold or published. Of course, this dialogue will also remain confidential.
// Analysis
Analyst Observations
- This transcript documents a fog ransomware negotiation. The exchange provides insight into the group's negotiation tactics and communication style.