// Ransomware Negotiation Transcript
Hive Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Hive ransomware negotiation with a redacted victim organisation. The negotiation consisted of 58 messages exchanged.
The initial ransom demand was $200,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello and welcome to Hive.
How may I help you?
Hello! Waiting for your decision, otherwise I will be forced to raise the price if ignored and put your information on my information auction.
Anyone still here?
hi
How may I help you?
What's your intention here?
We don't care about your company files, we don't care about that, we're only interested in profit. This is business. Are you ready to make a deal?
Decrypting your server and removing stolen confidential files from your servers costs you $200,000 in bitcoins.
Wow...$200,000 in bitcoins is serious money. No idea who you are or what data you're talking about.
After payment, you will receive:
1) Transcription software
2) Promise of non-disclosure
3) Access to storage of decrypted files
4) Security report
To convince you to pay, we can make calls to your customers to notify them of the incident.
Trust me, that's the last thing I need. Just trying to get details from you. Just feeling very targeted right now.
How do I know you have files?
If you are willing to cooperate, I will give you some files to confirm, but it does not matter, as it is silly to think that we have not downloaded anything when big money is being decided. You can read public news and our publications to be sure of our words [REDACTED URL]
lacveeam1.lac.[redacted].com
MDVTSQL1
lacsql2012.lac.[redacted].com
SQLCLUSTER02
lacwsus.lac.[redacted].com
CIFSFTPDATA What files from these hosts are you interested in? Maybe you are interested in other hosts, tell me the name of the host
Which hosts did you take files from?
I don't know which hosts your data was downloaded from. We took only those files that were of interest and could be sold to third parties. Typically, customer data, databases, financial reports, corporate email archives and other classified and confidential data related to the company's activities (technological developments, blueprints, drug clinical trials, software codes, etc.) are downloaded.
Can you show us what the files of interest were?
We selected several random files from the downloaded repository and attached to the panel. You can watch it.
Can you decrypt these 2 files?
I have decrypted both files
Are these all the files you took from me?
Can you give me a list of all the files you have?
Are you here?
hi
We have uploaded a list of all your files that we have. You can see them in the panel.
Thanks, we'll take a look today. So basically if we don't pay, everything in this list gets onto your site?
Yes, the files will be revealed here on the site. We will also study them in more detail and post them on other forums. You should understand that this information can get to intruders.
Understood. We are uploading the files with the key file now.
ok
These both files contain sensitive info. I will not disclose them to you before payment. Choose another files or I can upload them to you truncated
We have hundreds of files like this that need to be unlocked. These two alone won't make a difference. We just want to make sure your tool works since there's little value in paying if we can't get these files fixed.
We are well-known organization and our decryptor works. Otherwise you would able to read about any issues with other companies which are hundreds.
We've seen it work on the first 2 files you fixed but we've heard that encryption can sometimes corrupt files too. The last thing we want to do is pay and not get our files back. We can't afford to pay a dime without knowing that your tool will get us back up and running. Sorry if this isn't a normal ask. We're just against a wall right now and this would really help.
Upload any other files and a corresponding key(s) without any important info in them.
We're just worried about this particular file type. That's the main issue.
I already decrypt these two last files you uploaded, but I can't send you them to you due to sensitive info inside
So you will be able to do the same right after you'll purchase the decryption software
Not sure how we'll be able to pay without seeing it. I've read a lot online and people are always running into issues with decryption. This is going to be a risk no matter what, but we need certain assurances
If you can't send the files, can you send a screenshot?
We will answer you a little bit later.
I have uploaded shorten files
We'll review them. If they look good, then we can pay $100,000. That's a little more cash than what we actually have, but we'll take a step towards you to make this happen. Do we have an agreement?
The price is not a subject to discuss.
This isn't about a low ball. No idea how to get our hands on $200,000. What's something reasonable you'd consider?
The price of $ 200,000 was announced at the very beginning of the negotiations. After that, you continued negotiations, specifying all the necessary information for you. thereby you agreed to the announced amount. You didn't just waste your time on this, did you? Your company look can afford this amount and you know it. We did not overstate the cost, the price is optimal for you. I ask you to make a decision and make a payment as soon as possible. Then we will fulfill all the stated conditions immediately.
We were trying to see if this was a viable solution before discussing the financial side. It wouldn't make sense for us to go through with this if we weren't sure on what we were getting from you. We're a small business and we figured you wouldn't accept a small price. $100,000 is not a small price.
If we can move some money around and increase what we can send you to $150,000 will you accept? This is a lot of money for us, we're just a small business and we're trying to take a step in reaching a quick agreement with you.
I fully understand you. I understand what a difficult situation you are in. And for this reason, I will help you, I agree to $ 170,000. I will ask you to also help me and make the payment quickly.
Ok, it's late right now but I will bring this to my team first thing in the morning. Thank you
Is the wallet [redacted]? Also, what will we get from you if we pay $170,000?
After payment you will get:
1) The decryption software
2) Promise of non-disclosure
3) Access to exfiltrated files storage
4) Security report
Yes, our wallet [redacted]
Paid. Can we get the tool now?
Wait a little bit. We'll get to step 1 soon.
and steps 2-4?
3) Access to exfiltrated files storage
mega.nz login megashara@onionmail.org
Password [redacted]
4) Security report
[REDACTED URL]
checking this out
// Analysis
Analyst Observations
- Hive ransomware was infiltrated and disrupted by the FBI in January 2023 in a major law enforcement operation that provided decryption keys to victims.