// Context
About This Negotiation
This transcript documents a Hive ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 58 messages exchanged over Unknown.
The initial ransom demand was $200,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Hive] — 2 November 2021 17:52 — Message 1/58
Hello and welcome to Hive.
How may I help you?
[Hive] — 3 November 2021 13:40 — Message 2/58
Hello! Waiting for your decision, otherwise I will be forced to raise the price if ignored and put your information on my information auction.
[Victim] — 5 November 2021 16:30 — Message 3/58
Anyone still here?
[Hive] — 5 November 2021 16:50 — Message 4/58
hi
[Hive] — 5 November 2021 16:51 — Message 5/58
How may I help you?
[Victim] — 5 November 2021 17:57 — Message 6/58
What's your intention here?
[Hive] — 5 November 2021 18:20 — Message 7/58
We don't care about your company files, we don't care about that, we're only interested in profit. This is business. Are you ready to make a deal?
[Hive] — 5 November 2021 18:23 — Message 8/58
Decrypting your server and removing stolen confidential files from your servers costs you $200,000 in bitcoins.
[Victim] — 5 November 2021 18:25 — Message 9/58
Wow...$200,000 in bitcoins is serious money. No idea who you are or what data you're talking about.
[Hive] — 5 November 2021 18:29 — Message 10/58
After payment, you will receive:
1) Transcription software
2) Promise of non-disclosure
3) Access to storage of decrypted files
4) Security report
To convince you to pay, we can make calls to your customers to notify them of the incident.
[Victim] — 5 November 2021 18:37 — Message 11/58
Trust me, that's the last thing I need. Just trying to get details from you. Just feeling very targeted right now.
[Victim] — 5 November 2021 18:37 — Message 12/58
How do I know you have files?
[Hive] — 5 November 2021 19:06 — Message 13/58
If you are willing to cooperate, I will give you some files to confirm, but it does not matter, as it is silly to think that we have not downloaded anything when big money is being decided. You can read public news and our publications to be sure of our words [REDACTED URL]
[Hive] — 5 November 2021 19:11 — Message 14/58
lacveeam1.lac.[redacted].com
MDVTSQL1
lacsql2012.lac.[redacted].com
SQLCLUSTER02
lacwsus.lac.[redacted].com
CIFSFTPDATA What files from these hosts are you interested in? Maybe you are interested in other hosts, tell me the name of the host
[Victim] — 5 November 2021 19:55 — Message 15/58
Which hosts did you take files from?
[Hive] — 6 November 2021 02:35 — Message 16/58
I don't know which hosts your data was downloaded from. We took only those files that were of interest and could be sold to third parties. Typically, customer data, databases, financial reports, corporate email archives and other classified and confidential data related to the company's activities (technological developments, blueprints, drug clinical trials, software codes, etc.) are downloaded.
[Victim] — 6 November 2021 03:13 — Message 17/58
Can you show us what the files of interest were?
[Hive] — 6 November 2021 11:02 — Message 18/58
We selected several random files from the downloaded repository and attached to the panel. You can watch it.
[Victim] — 6 November 2021 19:22 — Message 19/58
Can you decrypt these 2 files?
[Hive] — 6 November 2021 19:36 — Message 20/58
I have decrypted both files
[Victim] — 7 November 2021 00:13 — Message 21/58
Are these all the files you took from me?
[Victim] — 7 November 2021 01:31 — Message 22/58
Can you give me a list of all the files you have?
[Victim] — 7 November 2021 14:28 — Message 23/58
Are you here?
[Hive] — 7 November 2021 14:33 — Message 24/58
hi
[Hive] — 7 November 2021 14:59 — Message 25/58
We have uploaded a list of all your files that we have. You can see them in the panel.
[Victim] — 7 November 2021 15:55 — Message 26/58
Thanks, we'll take a look today. So basically if we don't pay, everything in this list gets onto your site?
[Hive] — 7 November 2021 16:06 — Message 27/58
Yes, the files will be revealed here on the site. We will also study them in more detail and post them on other forums. You should understand that this information can get to intruders.
[Victim] — 7 November 2021 20:56 — Message 28/58
Understood. We are uploading the files with the key file now.
[Hive] — 7 November 2021 20:59 — Message 29/58
ok
[Hive] — 7 November 2021 21:04 — Message 30/58
These both files contain sensitive info. I will not disclose them to you before payment. Choose another files or I can upload them to you truncated
[Victim] — 8 November 2021 14:23 — Message 31/58
We have hundreds of files like this that need to be unlocked. These two alone won't make a difference. We just want to make sure your tool works since there's little value in paying if we can't get these files fixed.
[Hive] — 8 November 2021 14:28 — Message 32/58
We are well-known organization and our decryptor works. Otherwise you would able to read about any issues with other companies which are hundreds.
[Victim] — 8 November 2021 15:22 — Message 33/58
We've seen it work on the first 2 files you fixed but we've heard that encryption can sometimes corrupt files too. The last thing we want to do is pay and not get our files back. We can't afford to pay a dime without knowing that your tool will get us back up and running. Sorry if this isn't a normal ask. We're just against a wall right now and this would really help.
[Hive] — 8 November 2021 16:08 — Message 34/58
Upload any other files and a corresponding key(s) without any important info in them.
[Victim] — 8 November 2021 16:44 — Message 35/58
We're just worried about this particular file type. That's the main issue.
[Hive] — 8 November 2021 18:00 — Message 36/58
I already decrypt these two last files you uploaded, but I can't send you them to you due to sensitive info inside
[Hive] — 8 November 2021 18:01 — Message 37/58
So you will be able to do the same right after you'll purchase the decryption software
[Victim] — 8 November 2021 18:37 — Message 38/58
Not sure how we'll be able to pay without seeing it. I've read a lot online and people are always running into issues with decryption. This is going to be a risk no matter what, but we need certain assurances
[Victim] — 8 November 2021 19:51 — Message 39/58
If you can't send the files, can you send a screenshot?
[Hive] — 8 November 2021 21:00 — Message 40/58
We will answer you a little bit later.
[Hive] — 8 November 2021 21:09 — Message 41/58
I have uploaded shorten files
[Victim] — 8 November 2021 21:18 — Message 42/58
We'll review them. If they look good, then we can pay $100,000. That's a little more cash than what we actually have, but we'll take a step towards you to make this happen. Do we have an agreement?
[Hive] — 8 November 2021 21:47 — Message 43/58
The price is not a subject to discuss.
[Victim] — 8 November 2021 21:51 — Message 44/58
This isn't about a low ball. No idea how to get our hands on $200,000. What's something reasonable you'd consider?
[Hive] — 8 November 2021 22:40 — Message 45/58
The price of $ 200,000 was announced at the very beginning of the negotiations. After that, you continued negotiations, specifying all the necessary information for you. thereby you agreed to the announced amount. You didn't just waste your time on this, did you? Your company look can afford this amount and you know it. We did not overstate the cost, the price is optimal for you. I ask you to make a decision and make a payment as soon as possible. Then we will fulfill all the stated conditions immediately.
[Victim] — 9 November 2021 00:23 — Message 46/58
We were trying to see if this was a viable solution before discussing the financial side. It wouldn't make sense for us to go through with this if we weren't sure on what we were getting from you. We're a small business and we figured you wouldn't accept a small price. $100,000 is not a small price.
[Victim] — 9 November 2021 05:26 — Message 47/58
If we can move some money around and increase what we can send you to $150,000 will you accept? This is a lot of money for us, we're just a small business and we're trying to take a step in reaching a quick agreement with you.
[Hive] — 9 November 2021 07:20 — Message 48/58
I fully understand you. I understand what a difficult situation you are in. And for this reason, I will help you, I agree to $ 170,000. I will ask you to also help me and make the payment quickly.
[Victim] — 9 November 2021 08:18 — Message 49/58
Ok, it's late right now but I will bring this to my team first thing in the morning. Thank you
[Victim] — 9 November 2021 15:23 — Message 50/58
Is the wallet [redacted]? Also, what will we get from you if we pay $170,000?
[Hive] — 9 November 2021 15:33 — Message 51/58
After payment you will get:
1) The decryption software
2) Promise of non-disclosure
3) Access to exfiltrated files storage
4) Security report
[Hive] — 9 November 2021 15:37 — Message 52/58
Yes, our wallet [redacted]
[Victim] — 9 November 2021 20:02 — Message 53/58
Paid. Can we get the tool now?
[Hive] — 9 November 2021 20:19 — Message 54/58
Wait a little bit. We'll get to step 1 soon.
[Victim] — 9 November 2021 21:24 — Message 55/58
and steps 2-4?
[Hive] — 9 November 2021 21:58 — Message 56/58
3) Access to exfiltrated files storage
mega.nz login megashara@onionmail.org
Password [redacted]
[Hive] — 9 November 2021 22:20 — Message 57/58
4) Security report
[REDACTED URL]
[Victim] — 10 November 2021 00:32 — Message 58/58
checking this out