// Context
About This Negotiation
This transcript documents a Ranzy ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 36 messages exchanged over Unknown.
The initial ransom demand was $7,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Ranzy] — 15 Oct, 16:27 — Message 1/36
Hello, you heed help?
[Victim] — 16 Oct, 16:04 — Message 2/36
how much
[Victim] — 16 Oct, 16:05 — Message 3/36
how much
[Ranzy] — 16 Oct, 16:06 — Message 4/36
Hi, please wait 5 min.
[Victim] — 16 Oct, 16:06 — Message 5/36
hello ?
[Ranzy] — 16 Oct, 16:06 — Message 6/36
Hello.
[Ranzy] — 16 Oct, 16:09 — Message 7/36
Price for your case is $7,000. If you can pay this amount we send you all instructions
[Ranzy] — 16 Oct, 16:33 — Message 8/36
Hello?
[Victim] — 17 Oct, 03:29 — Message 9/36
Your note says all of our sensitive
data was downloaded to your servers. Does that mean you took our data?
We read an article that says you like to take data. We want our data
decrypted. So, if we pay we get a decryptor and all of our files back?
Is that how this works?
[Ranzy] — 17 Oct, 03:33 — Message 10/36
Yes.
[Victim] — 17 Oct, 21:48 — Message 11/36
Ok. We are going to have a meeting to discuss this situation. Can you send us a file or two from the data you took?
[Victim] — 19 Oct, 14:35 — Message 12/36
Ok. We had our meeting and agree that we need the decryption program. Can you fix a file to prove your ability to decrypt?
[Ranzy] — 19 Oct, 16:05 — Message 13/36
yes, upload file on [REDACTED URL] < 3mb
[Victim] — 19 Oct, 16:24 — Message 14/36
Here is the link it gave me. [REDACTED URL]
[Ranzy] — 19 Oct, 17:40 — Message 15/36
Hello, can you send me teamviewer access on your infected server?
[Victim] — 19 Oct, 19:29 — Message 16/36
We can't provide you access, but if
you tell us what you need to look at, we can provide information to you.
Do you need more sample files, or something else?
[Ranzy] — 19 Oct, 19:31 — Message 17/36
Yes, more sample files (from any
servers and in share folders and local folders). Also tell me this
information: Your OS, how to you shutdown our ransomware, and how much
share folders in your local network. Thanks.
[Victim] — 20 Oct, 02:41 — Message 18/36
Win Server 2008 R2 The Anti Virus caught the malware We only have 1 server.
[Victim] — 20 Oct, 02:42 — Message 19/36
[REDACTED URL]
[Victim] — 20 Oct, 21:25 — Message 20/36
Any update on our encrypted file?
[Victim] — 21 Oct, 14:00 — Message 21/36
Hello. Have you decrypted our file?
[Ranzy] — 21 Oct, 14:23 — Message 22/36
Hello
[Ranzy] — 21 Oct, 14:24 — Message 23/36
We have another messages from recovery company
[Victim] — 21 Oct, 15:57 — Message 24/36
What do you mean?
[Victim] — 21 Oct, 22:10 — Message 25/36
In the beginning we asked another
recovery company to help us. Do you know the name of the recovery
company that is communicating with you still? Their website said they
could decrypt our files, but it was a lie and I think they contacted you
instead. Did they pay you? Please ignore them and communicate here with
us and we will get this sorted out.
[Ranzy] — 21 Oct, 22:13 — Message 26/36
All recovery company is scam and just write us for buy decrypt.
[Victim] — 22 Oct, 15:58 — Message 27/36
Have you made any progress on decrypting our test file?
[Ranzy] — 22 Oct, 16:05 — Message 28/36
Hello yes we have progress but we dont
understand which version our software you are encrypted, can you send
me time when you encrypted?
[Victim] — 22 Oct, 18:26 — Message 29/36
It looks like it happened on 10/11/2020.
[Ranzy] — 22 Oct, 19:52 — Message 30/36
So, your files encrypted tested
version our software and we must scan all your system for find keys for
decrypt, and also my boss up price for you so final amount is 30,000$
[Victim] — 22 Oct, 22:08 — Message 31/36
Can you give us the scan tool?
[Ranzy] — 22 Oct, 22:10 — Message 32/36
Scan with private global decryption
key and when scanned collect all keys and decrypted it in real time, we
can connect to teamviewer and scan it or send it you after payment
[Victim] — 23 Oct, 01:49 — Message 33/36
There is no way we are letting you
back into the server. We also can't afford anywhere close to the amount
you are asking at $30,000. We could barely even afford $7,000. We are
just a few person company. If you can't prove you can decrypt, we can't
pay you anything. The price needs to go back to $7,000 because I don't
know if we can even afford that. How can you decrypt the data without
getting into our server?
[Ranzy] — 23 Oct, 01:53 — Message 34/36
In any case need teamviewer.
[Victim] — 23 Oct, 14:02 — Message 35/36
Why can’t we just run whatever key
find program you need us to run for you? We will not give you Teamviewer
access, especially not if you want a price that we can’t possibly
afford. Can you send us the program that you need to run to find the
keys, then decrypt a sample file, then we can pay $7000 for decryption?
[Ranzy] — 23 Oct, 14:03 — Message 36/36
Im already repeat you - your network
encrypted with tested versions our software so for finding keys need
scan your system, our scanner with private key and we do not provide it
just like "download this and run". If you cant provide teamviewer and
pay $30,000 - goodbye