// Context
About This Negotiation
This transcript documents a Hive ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 70 messages exchanged over Unknown.
The initial ransom demand was $500,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Hive] — 4 October 05:53 — Message 1/70
Hello and welcome to Hive.
How may I help you?
[Victim] — 6 October 22:30 — Message 2/70
i saw a text file and it had login info to come here.
[Hive] — 6 October 22:33 — Message 3/70
To decrypt your files you will need to pay $500,000.
[Hive] — 6 October 22:33 — Message 4/70
The price is not a subject to discuss.
[Victim] — 6 October 22:40 — Message 5/70
i think theres a mix up or something. i am apr supply like it says here, but weve never had that much revenue. could there be a mixup? $500,000 would be impossible for me to pay
[Victim] — 7 October 14:03 — Message 6/70
is anyone here?
[Hive] — 7 October 20:11 — Message 7/70
The price isn't negotiable.
[Victim] — 7 October 22:05 — Message 8/70
What happens if I can't pay?
[Hive] — 7 October 22:25 — Message 9/70
Nothing. You will not be able to decrypt. Your exfiltrated files will be disclosed. We will make calls to your partners and customers to notify them about the incident.
[Victim] — 7 October 23:02 — Message 10/70
does exfiltrated files mean you took files from me?
[Hive] — 7 October 23:03 — Message 11/70
yes, not so much, but it will be enough to confirm the incedent
[Victim] — 7 October 23:05 — Message 12/70
what files did you take?
[Victim] — 8 October 20:05 — Message 13/70
can you show me what files you have?
[Victim] — 9 October 00:03 — Message 14/70
how can i know you can fix my files?
[Victim] — 9 October 00:03 — Message 15/70
did you take any files?
[Victim] — 9 October 00:03 — Message 16/70
is anyone here
[Hive] — 9 October 00:29 — Message 17/70
You are able to upload encrypted files and a key file locates at C:\*.key.*
Encrypted files must not contain important info in it.
[Victim] — 9 October 00:30 — Message 18/70
k Ill upload them
[Victim] — 9 October 00:33 — Message 19/70
there
[Victim] — 9 October 00:46 — Message 20/70
can u open these
[Hive] — 9 October 12:23 — Message 21/70
I have uploaded decrypted file
[Victim] — 9 October 15:45 — Message 22/70
ok that file worked
[Victim] — 9 October 15:45 — Message 23/70
how do i know which files you took from me?
[Hive] — 9 October 15:47 — Message 24/70
You will get an access to your exfiltrated files storage
[Victim] — 9 October 16:46 — Message 25/70
can you prove that you took any files?
[Hive] — 9 October 17:41 — Message 26/70
Yes, we will do that in few hours.
[Hive] — 9 October 19:25 — Message 27/70
Done, you can check it.
[Victim] — 9 October 20:41 — Message 28/70
this is a list of files from my computer. are you saying you have these? how can i know this for sure?
[Hive] — 9 October 20:42 — Message 29/70
Select any without important info in it and we will upload it for you
[Victim] — 9 October 22:53 — Message 30/70
2021 show discounts.xlsx
[redacted] VENDOR NOTES.docx
[redacted] customer sales April – June 2019.xlsx
[Hive] — 9 October 22:53 — Message 31/70
Okay, few min
[Victim] — 9 October 22:59 — Message 32/70
thanks
[Hive] — 9 October 23:07 — Message 33/70
Done
[Victim] — 9 October 23:34 — Message 34/70
thanks
[Hive] — 15 October 15:00 — Message 35/70
Hello, the timer is almost gone.
We will publish your data soon.
[Victim] — 15 October 15:57 — Message 36/70
alright. im gathering up all my funds and will let you know how much i can pay
[Victim] — 15 October 17:02 — Message 37/70
i can pay you $84,600.
[Victim] — 15 October 17:02 — Message 38/70
i dont need a program to fix my files, but id like to keep my files from being published on the net if possible
[Hive] — 15 October 17:53 — Message 39/70
To convince you to pay we can make calls to your partners and customers to notify them about the incident.
[Victim] — 15 October 18:21 — Message 40/70
i can pay. i said i have 84,600
[Hive] — 15 October 18:24 — Message 41/70
The price is $500,000.
[Victim] — 15 October 18:47 — Message 42/70
ill need time to find more money.
[Hive] — 15 October 18:48 — Message 43/70
I'll wait
[Victim] — 15 October 18:50 — Message 44/70
okay. if my files or name is posted before i pay, i wont pay. i don't know what this timer is counting down to
[Hive] — 15 October 18:52 — Message 45/70
I have extended it
[Victim] — 15 October 19:01 — Message 46/70
thanks
[Hive] — 20 October 23:00 — Message 47/70
You have to make a decision.
[Victim] — 21 October 02:20 — Message 48/70
okay. i got a SBA 7(a) loan and put up all my assets as collateral so i can pay you. it hasn't funded yet, but should in the morning. when it does, i'll have a total of $112,838 that i can pay you. i know the price if $500k, but i just dont have that much money.
[Victim] — 21 October 02:22 — Message 49/70
if this is enough, please explain how i get the money to you. thanks
[Victim] — 21 October 16:24 — Message 50/70
hello? is $112,838 enough? if so, how do i pay?
[Hive] — 21 October 16:43 — Message 51/70
To decrypt your files and to prevent them to be disclosed you will need to pay $500,000.
[Hive] — 21 October 16:43 — Message 52/70
The price is not a subject to discuss.
[Victim] — 21 October 16:50 — Message 53/70
im trying to get as much money as possible and as fast as possible. im going to need more time. ill keep working on this through the weekend and see how much more i can get. i wont be able to find over 300k and pay in an hour
[Victim] — 21 October 17:01 — Message 54/70
thanks. the timer expires on Sunday. Even i can find all the money by then, i won't be able to pay until monday. it would be helpful to not have to worry about the timer until tuesday to give me time to figure out the bitcoin
[Hive] — 21 October 17:07 — Message 55/70
Okay
[Victim] — 21 October 17:18 — Message 56/70
thank you
[Hive] — 21 October 16:51 — Message 57/70
Okay, I'll give you time
[Hive] — 29 October 02:06 — Message 58/70
Hello?
[Victim] — 29 October 02:08 — Message 59/70
Hi! I'm here. I was able to get more money. Waiting for confirmation of the amount. I'll let ya know asap
[Hive] — 29 October 02:09 — Message 60/70
Okay.
[Victim] — 29 October 15:11 — Message 61/70
hi. i have confirmation from my team that we have $275,800 available. i contacted a couple of bitcoin sellers so should be able to figure that part out as well. is this enough that we could pay?
[Hive] — 29 October 18:56 — Message 62/70
Okay, I agree
[Hive] — 30 October 02:57 — Message 63/70
At the time of transfer, the amount have to be equal $275,800 in BTC.
[Victim] — 30 October 03:28 — Message 64/70
I will transfer the funds to bitcoin company on monday.
[Victim] — 30 October 03:34 Read — Message 65/70
The timer will run out before then, but I'm guessing that it shouldn't be a problem. Thank you for your help
[Hive] — 30 October 03:51 — Message 66/70
Okay.
[Hive] — 2 November 17:05 — Message 67/70
What is ETA on the payment?
[Victim] — 2 November 17:16 — Message 68/70
Hi there! My bank is scrutinizing the wire transfer from me to coinbase. They are asking a lot of questions because they say these types of transfers are related to fraud. I'm telling them that I'm investing in bitcoin, so it should be okay. I'll let you know.
[Hive] — 2 November 17:18 — Message 69/70
Okay.
[Hive] — 12 November 22:31 — Message 70/70
It's time to pay