// Ransomware Negotiation Transcript
Qilin Ransomware Negotiation — 20250203 From @Rakeshkrish12
// Context
About This Negotiation
This transcript documents a Qilin ransomware negotiation with 20250203 From @Rakeshkrish12. The negotiation consisted of 36 messages exchanged over 23 days, beginning on 2025-02-03.
The initial ransom demand was $63,000. The negotiation resulted in a confirmed payment.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello. I'm here. How can I assist you?
Hello?
Your company's network is attacked and the entire system is encrypted. We have downloaded all the company's confidential data. After payment you will receive.
1. Decryption tool for all devices
2. Complete list of files taken from the network.
3. Proof that all your data has been deleted.
4. Information about how we got into the network.
5. Security recommendations to stop future attacks.
6. Promise that we will not attack you again in the future.
7. Guarantee that we will forget about this incident.
ok, what do we need to do?
We will provide the list of files what we took from you as soon as possible and you can offer 3 names of files from it and we will provide them as a proof of availability. Also you can send 3 encrypted files and we will decrypt them as a proof that our decryption tool really works. But these files must not contain a valuable information.
file tree.txt (0.232 MB)
Thank you, I'll review and pick out some files
Please provide us with copies of the following files:
- [redacted].xls
- [redacted].pdf
- [redacted].docx
We will do it as soon as possible.
[redacted].docx (0.032 MB)
[redacted].xls (0.039 MB)
[redacted].pdf (0.484 MB)
ok, so next I'm suposed to send you encrypted files? How am I supposed to get to those when you've encrypted the server?
In order for you to make sure that we can really help you decrypt all your files and prevent all your information from going online - you can offer us some test files ... and we will decrypt them. After full payment you will get a full activation key to your computers and forget about us forever.
ok, I need to get with out team when they're back on Monday to see what we're able to get and send to you
On Monday we are waiting.
What kind of files are we allowed to upload? All we've been able to get are some encrypted log files, will that work?
You can select 2-3 random files from the list, and we will upload them to this chat as proof of availability. To prove that we can decrypt your data correctly, you can upload 2-3 encrypted files to our chat, and we will upload the decrypted copies back
Please decrypt the following files:
[redacted] (0.555 MB)
[redacted] (0.238 MB)
[redacted] (0.239 MB)
[redacted].log (0.551 MB)
[redacted].log (0.234 MB)
[redacted].log (0.234 MB)
Thank you. We are considering your demands, is there any way you could provide a discount to your price?
As a sign of goodwill and quick closing of the deal, we are ready to give a 10% discount and stop at the price of 63,000 dollars. You can pay this amount as we have reviewed your financials. Talk to the management and pay, after payment you will get everything you agreed on.
Understood. If we only require either the decryptor or confidentiality, would the cost be adjusted accordingly?
Understand that we don’t have something that requires you to pay separately for something. Any payment includes all our terms and conditions. It depends whether you need decryption or not. Should your data be deleted or not, etc. Everything is included in the complex. Hurry up, there is very little time left.
That makes sense. We have some key decision makers that are flying in to discuss your deal. We expect to have an update for you early next week.
As we see that you are interested in making a deal as soon as possible, we do for you an exception and extend the timer till the 19th of February for you to make a decision with your management and inform us about the payment. Please, don't delay with it, otherwise we will return with the tools which are stronger. You must understand that as the timer will expire we will post your files on our blog.
Our apologies, we are awaiting a decision from leadership. Can we have one more day to consider your offer?
we extended the timer for 24 hours.
So you just had a meeting about finances. What do you have to offer? We are willing to make an additional discount and accept payment from you today. The price will be 60,000 dollars. That's a very good discount. We're ready to make the deal today and start rebuilding you. It's up to you. Time is running out today.
We see that you are not interested in the security of your patients and choose to play the silent way. Tommorow we will publish a press relise about you on our blog, and in a couple more days all of your data will become public. You still have time to start collaborating and do it without any attention from the press and the public.
[REDACTED URL]
// Analysis
Analyst Observations
- The final settlement represented a 5% reduction from the initial demand — a moderate reduction.
- → Qilin threat actor profile — TTPs, ransom demands, and active campaigns.