// Ransomware Negotiation Transcript
Hive Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a Hive ransomware negotiation with a redacted victim organisation. The negotiation consisted of 136 messages exchanged.
The initial ransom demand was $20.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello and welcome to Hive.
How may I help you?
Hi, decryption key price?
how many files are stolen? and can you share some file names?
maybe no ones here
Hello
To decrypt your files you have to pay $20,000,000 in Bitcoin.
thats way too much, can you please discount
And please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway
We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway.
If you want a discount I would like to see for how much
let me talk to the management
share some file names?
I'll share with you later when my teammate will be online.
ok
when should I log back in?
I don't know. Maybe today
ok
please ask him/her to share the file names so I can have them when I login, its not easy to use TOR here
Okay, I'll do my best
thanks
I have uploaded the list of exfiltrated files.
where?
I cant see them
is it like 100G?
It's at the left panel titled Uploaded files
I uploaded a list of files not the files themselves
yes got it, thanks
you can delete it now
Can you please share the hash of the ransomware. SO we can just add it to black list and ask the management for money. They are scared that the payload will come back. If you can't I understand but this will make th eprocess easy
We are well-known organization. We honor our agreements. There is no point in the blacklist right now. You need to concentrate on how to collect money.
I have another option for you. You will give me your email address (protonmail is preferred) and I'll send you new credentials to login. Then I'll upload the encryptor to VirusTotal and provide you a link to it. All necessary hashes will be available there.
But to prevent others to login to your customer website you have to get new credentials first.
Here
[redacted]@protonmail.com
just like you wanted ... protonmail
please keep your word, I will login again in a bit or check my email
BTW, the site you guys made is beautiful. Better support than normal companies :)
Thank you
did you upload the file?
and why did you change my creds ... are you planing to hack me too ? :(((((
The encryptor didn't uploaded yet, looking for it rn.
What do you mean about creds? From what?
you change the credential to login to this site
It was necessary because whether I upload the encryptor other researchers will be able to login and read your conversation.
It's a potential data leakage so I have prevented it
Thanks
would you share the link here or email?
Here is safe now
ok
why do you prefer protonmail?
is it on tor?
[REDACTED URL]
Thanks. I dont have virus total account but at least I got the hash. Really appreciat eit
we have mcafee and symantec and nothing prevented this :(
Actually I didn't spend too much time to hide it but I will
What a recovery company are you from?
not from company, directly the SOC team
I got it
working with the management to do something
they may hire someone in hope of recovery.
Unfortunately for them there are only two options:
1) start from a scratch
2) purchase the decryption software from us
yes I have provided all the data
Recovery companies no matter what they say can't decrypt.
I understand but in the demo they show us how they can do the magic and impress the management
THey told us that they will recover the keys from the memory and then decrypt files? is that possible?
For ESXi servers it's not possible
why not? please educate me to I can understand and tell the management not to waste time. We have way too many vendors here
The encryptor software rewrites the key from memory.
what? :( ... liek in simple words please?
Array of bytes in memory where the key resides in rewrites to prevent such operation
Thats awesome. Is this for all servers or only esxi?
For all of course
so if we end-up hiring a company that charges us $400 an hour, its pretty much useless?
BTW, the array of memory that you mentioned, these are the public keys or the private keys?
Encryptor even don't know anything about private keys. It only has public keys. Public keys need to encrypt random field which uses in encryption process.
In my opinion spending money to external IT companies will only waste your valuable time.
Thanks, appreciate it. Its clear to me now
Hey, how much data have you stolen 100Gig?
And the price you provided $20,000,000 is way too much
This is 20 million $?????
Yes, your company has $2B revenue. We usually rate 1% of revenue
:(
And the total you have stolen in GB?
I am guessing you used the VPN to get on the network. Did you steal the credentials after that? SYmantec and McAfee didn't prevent stealing credentials?
We have 32 Gb total.
Almost all AntiViruses are useless against real hackers.
unfortunate but true
For some reason the IT guy told us that they can see certain portion of files and they could be decrypted.
I think you are only encrypting certain portion of files right? they can see the file content in bigger files
There is a spotted encryption mechanism. If you are talking about ESXi files then I don't think they can. Some text files - yes
I mean the big files are not fully encrypted. They are encypted at the header and then footer I think ... but in the middle one can see the text.
It's true. First 4Kb, the last, and a few blocks in the middle
But this is nto true for ESXi files? everything for them is encrypted?
also how efficient is your encryption process? are you faster than lockbit2.0?
we also got one file for lockbit but was protected that was few weeks ago
I didn't compare it with lockbit but my software is quite fast, especially ESXi
How is it going with decision making?
its slow, we provided all the data and making sure they understand the complexity
But for the esxi part, you don't use partial encryption? and everything is encrypted?
not just 4kb header etc
can you please explain 2 things to understand . Explain a bit more on how you re-write the keys in the memory and the efficiency of esxi encryption. That way I can explain to everyone as well, that no hope for recovery
most probly I will ask for discount shirtly
It's very simple. ESXi files especially virtual drives are very fragile. Even few changes make them unreadable because it has a binary structure.
ESXi was encrypted using spot method. 4 Kb of beginning of the files, 4 Kb of ending of the file and along file. Totally 100 Kb over the each file is encrypted. It's a quite enough.
cool and the memory re-writing? as I understand you are not creating a new key for each file
The memory overwrite is my last question. So I can make sure the SOC team understands
When encryptor starts it creates a random field which will be used in encryption process. It is static. After encryption process finishes it rewrites to prevent restoration process. RSA keys private and public only use to encrypt/decrypt the random field. Only knowing the field it's possible to decrypt files. Encryptor has only public RSA keys, decryptor - private RSA keys.
by random fields u mean aes?
No, a truly cryptographic random field.
like PRNG or truly random numbers?
Of course not PRNG:)
:(
can you give me an example
so you have the origanal private key. The ransomware generates fields that will encrypt files? are these fields used as keys? for aes?
You are one smart guy
Actually I already disclose you a lot of details which was never disclosed to anyone. I think it's enough to make a decision.
Thanks
AES is a chiper, I use a different one - some kind of Vernam's chiper. It's impossible to decrypt without knowing the keys.
that means only one key will be used for all files and then re-written
so no way to get back
In simplified version the key used to encrypt all files. It exports to the disk using a few RSA public keys applied. Then encryption process follows. After that the key rewrites to prevent recovery from memory.
Decryption software has RSA private keys to initially decrypt the exported key.
Whats the BTC address or wallet?
I made an offer at the right panel
you came into the network via global protect. Are you still on the network?
No
you are very honest for a hacker
We are all honest who works at Hive
but they say you hacked hospitals like [redacted] etc
Yes, we attack every targets, we have no limits here. It's not related with honesty
Got it
I think the time is up :(
Don't worry you have time. Tell me how is it going with upper management please
working on it, tough situation
Hi, how is it going?
good thanks
how r u
I'm good too. I just wanted to know to what direction your company inclined right now.
By the way, what about a recovery process from memory from recovery company you told earlier?
They think the recovery is possible
also backup etc
Let's play with the price. I think both your management and our side want to resolve this as quick as possible
Whats the best price?
I am not sure if 333 is even remotely possible
They won't even consider 80 a possibility
I can offer you $3,000,000 in Bitcoin.
// Analysis
Analyst Observations
- This is an unusually long negotiation, suggesting extended back-and-forth and significant engagement from both parties.
- The initial demand of $20.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
- Hive ransomware was infiltrated and disrupted by the FBI in January 2023 in a major law enforcement operation that provided decryption keys to victims.