// Context
About This Negotiation
This transcript documents a Hive ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 136 messages exchanged over Unknown.
The initial ransom demand was $20.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Hive] — 13 November 2021 13:53 — Message 1/136
Hello and welcome to Hive.
How may I help you?
[Victim] — 13 November 2021 13:54 — Message 2/136
Hi, decryption key price?
[Victim] — 13 November 2021 13:58 — Message 3/136
how many files are stolen? and can you share some file names?
[Victim] — 13 November 2021 13:59 — Message 4/136
maybe no ones here
[Hive] — 13 November 2021 13:59 — Message 5/136
Hello
[Hive] — 13 November 2021 14:00 — Message 6/136
To decrypt your files you have to pay $20,000,000 in Bitcoin.
[Victim] — 13 November 2021 14:01 — Message 7/136
thats way too much, can you please discount
And please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway
[Hive] — 13 November 2021 14:03 — Message 8/136
We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway.
[Hive] — 13 November 2021 14:04 — Message 9/136
If you want a discount I would like to see for how much
[Victim] — 13 November 2021 14:04 — Message 10/136
let me talk to the management
[Victim] — 13 November 2021 14:05 — Message 11/136
share some file names?
[Hive] — 13 November 2021 14:05 — Message 12/136
I'll share with you later when my teammate will be online.
[Victim] — 13 November 2021 14:05 — Message 13/136
ok
when should I log back in?
[Hive] — 13 November 2021 14:06 — Message 14/136
I don't know. Maybe today
[Victim] — 13 November 2021 14:06 — Message 15/136
ok
[Victim] — 13 November 2021 14:07 — Message 16/136
please ask him/her to share the file names so I can have them when I login, its not easy to use TOR here
[Hive] — 13 November 2021 14:07 — Message 17/136
Okay, I'll do my best
[Victim] — 13 November 2021 14:08 — Message 18/136
thanks
[Hive] — 13 November 2021 16:16 — Message 19/136
I have uploaded the list of exfiltrated files.
[Victim] — 13 November 2021 18:10 — Message 20/136
where?
I cant see them
[Victim] — 13 November 2021 18:14 — Message 21/136
is it like 100G?
[Hive] — 13 November 2021 19:07 — Message 22/136
It's at the left panel titled Uploaded files
[Hive] — 13 November 2021 19:27 — Message 23/136
I uploaded a list of files not the files themselves
[Victim] — 14 November 2021 04:38 — Message 24/136
yes got it, thanks
[Victim] — 14 November 2021 04:38 — Message 25/136
you can delete it now
[Victim] — 14 November 2021 04:41 — Message 26/136
Can you please share the hash of the ransomware. SO we can just add it to black list and ask the management for money. They are scared that the payload will come back. If you can't I understand but this will make th eprocess easy
[Hive] — 14 November 2021 04:56 — Message 27/136
We are well-known organization. We honor our agreements. There is no point in the blacklist right now. You need to concentrate on how to collect money.
[Hive] — 14 November 2021 07:19 — Message 28/136
I have another option for you. You will give me your email address (protonmail is preferred) and I'll send you new credentials to login. Then I'll upload the encryptor to VirusTotal and provide you a link to it. All necessary hashes will be available there.
But to prevent others to login to your customer website you have to get new credentials first.
[Victim] — 14 November 2021 08:58 — Message 29/136
Here
[redacted]@protonmail.com
[Victim] — 14 November 2021 08:58 — Message 30/136
just like you wanted ... protonmail
[Victim] — 14 November 2021 08:59 — Message 31/136
please keep your word, I will login again in a bit or check my email
[Victim] — 14 November 2021 09:38 — Message 32/136
BTW, the site you guys made is beautiful. Better support than normal companies :)
[Hive] — 14 November 2021 09:38 — Message 33/136
Thank you
[Victim] — 14 November 2021 09:40 — Message 34/136
did you upload the file?
[Victim] — 14 November 2021 09:40 — Message 35/136
and why did you change my creds ... are you planing to hack me too ? :(((((
[Hive] — 14 November 2021 09:41 — Message 36/136
The encryptor didn't uploaded yet, looking for it rn.
[Hive] — 14 November 2021 09:42 — Message 37/136
What do you mean about creds? From what?
[Victim] — 14 November 2021 09:43 — Message 38/136
you change the credential to login to this site
[Hive] — 14 November 2021 09:45 — Message 39/136
It was necessary because whether I upload the encryptor other researchers will be able to login and read your conversation.
[Hive] — 14 November 2021 09:45 — Message 40/136
It's a potential data leakage so I have prevented it
[Victim] — 14 November 2021 09:46 — Message 41/136
Thanks
[Victim] — 14 November 2021 09:50 — Message 42/136
would you share the link here or email?
[Hive] — 14 November 2021 09:50 — Message 43/136
Here is safe now
[Victim] — 14 November 2021 09:51 — Message 44/136
ok
[Victim] — 14 November 2021 09:56 — Message 45/136
why do you prefer protonmail?
[Victim] — 14 November 2021 09:56 — Message 46/136
is it on tor?
[Hive] — 14 November 2021 09:57 — Message 47/136
[REDACTED URL]
[Victim] — 14 November 2021 09:58 — Message 48/136
Thanks. I dont have virus total account but at least I got the hash. Really appreciat eit
[Victim] — 14 November 2021 10:01 — Message 49/136
we have mcafee and symantec and nothing prevented this :(
[Hive] — 14 November 2021 10:02 — Message 50/136
Actually I didn't spend too much time to hide it but I will
[Hive] — 14 November 2021 10:02 — Message 51/136
What a recovery company are you from?
[Victim] — 14 November 2021 10:03 — Message 52/136
not from company, directly the SOC team
[Hive] — 14 November 2021 10:04 — Message 53/136
I got it
[Victim] — 14 November 2021 10:04 — Message 54/136
working with the management to do something
[Victim] — 14 November 2021 10:05 — Message 55/136
they may hire someone in hope of recovery.
[Hive] — 14 November 2021 10:06 — Message 56/136
Unfortunately for them there are only two options:
1) start from a scratch
2) purchase the decryption software from us
[Victim] — 14 November 2021 10:07 — Message 57/136
yes I have provided all the data
[Hive] — 14 November 2021 10:08 — Message 58/136
Recovery companies no matter what they say can't decrypt.
[Victim] — 14 November 2021 10:08 — Message 59/136
I understand but in the demo they show us how they can do the magic and impress the management
[Victim] — 14 November 2021 10:09 — Message 60/136
THey told us that they will recover the keys from the memory and then decrypt files? is that possible?
[Hive] — 14 November 2021 10:09 — Message 61/136
For ESXi servers it's not possible
[Victim] — 14 November 2021 10:11 — Message 62/136
why not? please educate me to I can understand and tell the management not to waste time. We have way too many vendors here
[Hive] — 14 November 2021 10:12 — Message 63/136
The encryptor software rewrites the key from memory.
[Victim] — 14 November 2021 10:13 — Message 64/136
what? :( ... liek in simple words please?
[Hive] — 14 November 2021 10:13 — Message 65/136
Array of bytes in memory where the key resides in rewrites to prevent such operation
[Victim] — 14 November 2021 17:39 — Message 66/136
Thats awesome. Is this for all servers or only esxi?
[Hive] — 14 November 2021 17:50 — Message 67/136
For all of course
[Victim] — 14 November 2021 17:53 — Message 68/136
so if we end-up hiring a company that charges us $400 an hour, its pretty much useless?
[Victim] — 14 November 2021 17:54 — Message 69/136
BTW, the array of memory that you mentioned, these are the public keys or the private keys?
[Hive] — 14 November 2021 17:57 — Message 70/136
Encryptor even don't know anything about private keys. It only has public keys. Public keys need to encrypt random field which uses in encryption process.
[Hive] — 14 November 2021 17:59 — Message 71/136
In my opinion spending money to external IT companies will only waste your valuable time.
[Victim] — 14 November 2021 18:00 — Message 72/136
Thanks, appreciate it. Its clear to me now
[Victim] — 16 November 2021 06:24 — Message 73/136
Hey, how much data have you stolen 100Gig?
[Victim] — 16 November 2021 06:25 — Message 74/136
And the price you provided $20,000,000 is way too much
[Victim] — 16 November 2021 06:25 — Message 75/136
This is 20 million $?????
[Hive] — 16 November 2021 06:29 — Message 76/136
Yes, your company has $2B revenue. We usually rate 1% of revenue
[Victim] — 16 November 2021 06:34 — Message 77/136
:(
And the total you have stolen in GB?
[Victim] — 16 November 2021 06:36 — Message 78/136
I am guessing you used the VPN to get on the network. Did you steal the credentials after that? SYmantec and McAfee didn't prevent stealing credentials?
[Hive] — 16 November 2021 07:40 — Message 79/136
We have 32 Gb total.
Almost all AntiViruses are useless against real hackers.
[Victim] — 17 November 2021 05:16 — Message 80/136
unfortunate but true
[Victim] — 17 November 2021 05:17 — Message 81/136
For some reason the IT guy told us that they can see certain portion of files and they could be decrypted.
[Victim] — 17 November 2021 05:17 — Message 82/136
I think you are only encrypting certain portion of files right? they can see the file content in bigger files
[Hive] — 17 November 2021 05:31 — Message 83/136
There is a spotted encryption mechanism. If you are talking about ESXi files then I don't think they can. Some text files - yes
[Victim] — 17 November 2021 05:35 — Message 84/136
I mean the big files are not fully encrypted. They are encypted at the header and then footer I think ... but in the middle one can see the text.
[Hive] — 17 November 2021 07:33 — Message 85/136
It's true. First 4Kb, the last, and a few blocks in the middle
[Victim] — 17 November 2021 08:34 — Message 86/136
But this is nto true for ESXi files? everything for them is encrypted?
[Victim] — 17 November 2021 08:36 — Message 87/136
also how efficient is your encryption process? are you faster than lockbit2.0?
[Victim] — 17 November 2021 08:37 — Message 88/136
we also got one file for lockbit but was protected that was few weeks ago
[Hive] — 17 November 2021 09:36 — Message 89/136
I didn't compare it with lockbit but my software is quite fast, especially ESXi
[Hive] — 17 November 2021 09:38 — Message 90/136
How is it going with decision making?
[Victim] — 17 November 2021 09:43 — Message 91/136
its slow, we provided all the data and making sure they understand the complexity
[Victim] — 17 November 2021 09:44 — Message 92/136
But for the esxi part, you don't use partial encryption? and everything is encrypted?
[Victim] — 17 November 2021 09:44 — Message 93/136
not just 4kb header etc
[Victim] — 17 November 2021 10:04 — Message 94/136
can you please explain 2 things to understand . Explain a bit more on how you re-write the keys in the memory and the efficiency of esxi encryption. That way I can explain to everyone as well, that no hope for recovery
[Victim] — 17 November 2021 10:05 — Message 95/136
most probly I will ask for discount shirtly
[Hive] — 17 November 2021 10:52 — Message 96/136
It's very simple. ESXi files especially virtual drives are very fragile. Even few changes make them unreadable because it has a binary structure.
ESXi was encrypted using spot method. 4 Kb of beginning of the files, 4 Kb of ending of the file and along file. Totally 100 Kb over the each file is encrypted. It's a quite enough.
[Victim] — 17 November 2021 10:53 — Message 97/136
cool and the memory re-writing? as I understand you are not creating a new key for each file
[Victim] — 17 November 2021 11:02 — Message 98/136
The memory overwrite is my last question. So I can make sure the SOC team understands
[Hive] — 17 November 2021 11:11 — Message 99/136
When encryptor starts it creates a random field which will be used in encryption process. It is static. After encryption process finishes it rewrites to prevent restoration process. RSA keys private and public only use to encrypt/decrypt the random field. Only knowing the field it's possible to decrypt files. Encryptor has only public RSA keys, decryptor - private RSA keys.
[Victim] — 17 November 2021 11:13 — Message 100/136
by random fields u mean aes?
[Hive] — 17 November 2021 11:13 — Message 101/136
No, a truly cryptographic random field.
[Victim] — 17 November 2021 11:15 — Message 102/136
like PRNG or truly random numbers?
[Hive] — 17 November 2021 11:15 — Message 103/136
Of course not PRNG:)
[Victim] — 17 November 2021 11:15 — Message 104/136
:(
[Victim] — 17 November 2021 11:15 — Message 105/136
can you give me an example
[Victim] — 17 November 2021 11:16 — Message 106/136
so you have the origanal private key. The ransomware generates fields that will encrypt files? are these fields used as keys? for aes?
[Victim] — 17 November 2021 11:17 — Message 107/136
You are one smart guy
[Hive] — 17 November 2021 11:17 — Message 108/136
Actually I already disclose you a lot of details which was never disclosed to anyone. I think it's enough to make a decision.
[Victim] — 17 November 2021 11:18 — Message 109/136
Thanks
[Hive] — 17 November 2021 11:18 — Message 110/136
AES is a chiper, I use a different one - some kind of Vernam's chiper. It's impossible to decrypt without knowing the keys.
[Victim] — 17 November 2021 11:27 — Message 111/136
that means only one key will be used for all files and then re-written
[Victim] — 17 November 2021 11:27 — Message 112/136
so no way to get back
[Hive] — 17 November 2021 11:31 — Message 113/136
In simplified version the key used to encrypt all files. It exports to the disk using a few RSA public keys applied. Then encryption process follows. After that the key rewrites to prevent recovery from memory.
Decryption software has RSA private keys to initially decrypt the exported key.
[Victim] — 17 November 2021 11:40 — Message 114/136
Whats the BTC address or wallet?
[Hive] — 17 November 2021 11:51 — Message 115/136
I made an offer at the right panel
[Victim] — 17 November 2021 11:54 — Message 116/136
you came into the network via global protect. Are you still on the network?
[Hive] — 17 November 2021 11:55 — Message 117/136
No
[Victim] — 17 November 2021 11:55 — Message 118/136
you are very honest for a hacker
[Hive] — 17 November 2021 11:56 — Message 119/136
We are all honest who works at Hive
[Victim] — 17 November 2021 11:57 — Message 120/136
but they say you hacked hospitals like [redacted] etc
[Hive] — 17 November 2021 11:58 — Message 121/136
Yes, we attack every targets, we have no limits here. It's not related with honesty
[Victim] — 17 November 2021 11:59 — Message 122/136
Got it
[Victim] — 20 November 2021 18:07 — Message 123/136
I think the time is up :(
[Hive] — 20 November 2021 19:58 — Message 124/136
Don't worry you have time. Tell me how is it going with upper management please
[Victim] — 24 November 2021 04:57 — Message 125/136
working on it, tough situation
[Hive] — 29 November 2021 07:02 — Message 126/136
Hi, how is it going?
[Victim] — 3 December 2021 15:53 — Message 127/136
good thanks
[Victim] — 3 December 2021 15:56 — Message 128/136
how r u
[Hive] — 3 December 2021 16:17 — Message 129/136
I'm good too. I just wanted to know to what direction your company inclined right now.
By the way, what about a recovery process from memory from recovery company you told earlier?
[Victim] — 5 December 2021 05:26 — Message 130/136
They think the recovery is possible
[Victim] — 5 December 2021 05:26 — Message 131/136
also backup etc
[Hive] — 5 December 2021 06:06 — Message 132/136
Let's play with the price. I think both your management and our side want to resolve this as quick as possible
[Victim] — 6 December 2021 08:57 — Message 133/136
Whats the best price?
[Victim] — 6 December 2021 08:58 — Message 134/136
I am not sure if 333 is even remotely possible
[Victim] — 6 December 2021 08:58 Read — Message 135/136
They won't even consider 80 a possibility
[Hive] — 6 December 2021 11:01 — Message 136/136
I can offer you $3,000,000 in Bitcoin.