// Context
About This Negotiation
This transcript documents a Mallox ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 62 messages exchanged over Unknown.
The initial ransom demand was $20,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — [27/04/2023 09:09] — Message 1/62
hello?
[Victim] — [27/04/2023 09:14] — Message 2/62
Sent the file
[Victim] — [27/04/2023 09:23] — Message 3/62
Brother, please give me a discount
[Mallox] — [27/04/2023 12:26] — Message 4/62
To send funds, use the BTC address specified below: [redacted]. Do not send more than 1 payment to this BTC address
[Mallox] — [27/04/2023 12:26] — Message 5/62
Discount 20%. Discount expiration date: 2023-05-03
[Victim] — [27/04/2023 12:41] — Message 6/62
We are a small enterprise and we cannot afford to spend so much money. Is 5000 USD okay
[Mallox] — [27/04/2023 12:44] — Message 7/62
To recover your files you need a decryption tool. We are ready to sell it to you at the price indicated on this page
[Victim] — [27/04/2023 12:48] — Message 8/62
If I were to make money now, how long would I be able to give me the tools
[Mallox] — [27/04/2023 12:51] — Message 9/62
Then we will complete the deal today.
[Victim] — [27/04/2023 12:52] — Message 10/62
Can you decrypt the test file so that we can take a look?
[Mallox] — [27/04/2023 12:56] — Message 11/62
We can make test decrypt for free for not valuable files (xls, doc, bat, txt, jpeg, png, pdf, exe or etc)If you need a test then upload your file on any file host and send me download linkFile hosts: sendspace.com / dropmefiles.com / google.com/drive / file.io / wetransfer.com
[Victim] — [27/04/2023 12:57] — Message 12/62
[REDACTED URL]
[Victim] — [27/04/2023 12:57] — Message 13/62
this link
[Mallox] — [27/04/2023 13:07] — Message 14/62
wait
[Victim] — [27/04/2023 13:08] — Message 15/62
Okay, please hurry up
[Victim] — [27/04/2023 13:29] — Message 16/62
We plan to make payment after seeing the decrypted test files. Could you please hurry up? Thank you
[Mallox] — [27/04/2023 13:52] — Message 17/62
wait
[Victim] — [27/04/2023 14:38] — Message 18/62
Could you please hurry up
[Mallox] — [27/04/2023 14:48] — Message 19/62
The technician went out, wait
[Victim] — [27/04/2023 14:49] — Message 20/62
Can we complete the transaction tonight? We have been waiting on our end, please make sure to complete the transaction tonight
[Mallox] — [27/04/2023 14:53] — Message 21/62
yes
[Victim] — [27/04/2023 16:29] — Message 22/62
Hello, has the technology returned? We have been waiting
[Mallox] — [27/04/2023 16:35] — Message 23/62
Wait patiently, don't worry, I will tell you after the production is completed
[Victim] — [27/04/2023 16:36] — Message 24/62
How long will it take
[Victim] — [27/04/2023 17:04] — Message 25/62
We've been waiting all night tonight, please feel free to contact me anytime
[Mallox] — [27/04/2023 17:39] — Message 26/62
I know
[Mallox] — [27/04/2023 18:21] — Message 27/62
Sent the file
[Mallox] — [27/04/2023 18:22] — Message 28/62
which amount you are going to pay?
[Victim] — [27/04/2023 18:25] — Message 29/62
Didn't you say 20000U?
[Mallox] — [27/04/2023 18:25] — Message 30/62
current price for decryption tool after disocunt is 20000 USD
[Mallox] — [27/04/2023 18:25] — Message 31/62
that's right
[Mallox] — [27/04/2023 18:25] — Message 32/62
just to figure out
[Victim] — [27/04/2023 18:26] — Message 33/62
We are
confirming the correctness of the document and will make payment
immediately after confirmation. Please stay online and wait for me
[Mallox] — [27/04/2023 18:27] — Message 34/62
ok
[Victim] — [27/04/2023 18:42] — Message 35/62
The customer cannot confirm that it is their own file. Can we decrypt a test file again?
[Victim] — [27/04/2023 18:44] — Message 36/62
[REDACTED URL]
[Mallox] — [27/04/2023 18:46] — Message 37/62
Sent the file
[Victim] — [27/04/2023 18:49] — Message 38/62
wait a moment
[Victim] — [27/04/2023 19:07] — Message 39/62
Confirm the transfer address, BTC quantity, and we are ready to make payment
[Mallox] — [27/04/2023 19:12] — Message 40/62
$20000 / 0.6874617 btc
[Mallox] — [27/04/2023 19:12] — Message 41/62
btc address [quotes BOT]
[Victim] — [27/04/2023 19:12] — Message 42/62
Is this address? [quotes BOT]
[Victim] — [27/04/2023 19:13] — Message 43/62
Ok
wait
[Victim] — [27/04/2023 19:18] — Message 44/62
Enclosed please find!
[Mallox] — [27/04/2023 19:18] — Message 45/62
yes
[Victim] — [27/04/2023 19:19] — Message 46/62
Payment has been made. Please check the records on your end. Thank you
[Victim] — [27/04/2023 19:22] — Message 47/62
How long can I receive the decryption tool
[Mallox] — [27/04/2023 19:40] — Message 48/62
in 30 minutes after payment
[Mallox] — [27/04/2023 19:40] — Message 49/62
we are waiting bitcoin network confirmations
[Mallox] — [27/04/2023 19:41] — Message 50/62
when payment will be credited to the account decryptor will be sent
[Victim] — [27/04/2023 19:46] — Message 51/62
Okay, I've been waiting
[Mallox] — [27/04/2023 19:48] — Message 52/62
Received $19987
[Victim] — [27/04/2023 19:49] — Message 53/62
hi
[Mallox] — [27/04/2023 19:52] — Message 54/62
Sent the decryptor. To unpack use the password: 123
[Victim] — [29/04/2023 13:09] — Message 55/62
Hello, there are two file decryptors that cannot recognize it. Can you help restore it?
[Victim] — [29/04/2023 13:09] — Message 56/62
These two files are very important to me
[Victim] — [29/04/2023 13:12] — Message 57/62
[REDACTED URL]
[Mallox] — [29/04/2023 13:21] — Message 58/62
Yes, wait a little
[Victim] — [29/04/2023 18:23] — Message 59/62
Are you there?
[Mallox] — [29/04/2023 18:51] — Message 60/62
yes
[Mallox] — [29/04/2023 20:46] — Message 61/62
Hello
[Mallox] — [29/04/2023 20:46] — Message 62/62
I'm
sorry, unfortunately these two files were not fully encrypted. They are
missing critical recovery information, so I can't decrypt them.