REvil Ransomware Negotiation — Redacted Organisation

Hello. If you are satisfied with the screenshots of the folders, we will provide them to you within a few minutes. Or we can provide you with a link to some of your data for review. But it will take about an hour.

Good. 10 minutes and we will provide you with screenshots.

ok

We would like to draw your attention to the fact that we did not delete data from your ESXI servers. The information is also encrypted there. If we make a deal, we will give you a decryptor so that you can restore the servers.

But we do not guarantee recovery if you carry out any manipulations with these servers.

Good. This also applies to other files outside of ESXI.

We have started transferring some of the data to the new server so that you can familiarize yourself with the data. It will take some time. In 5 minutes you will be able to get acquainted with what we have already transferred for you.

We will upload files here for review. The link is available through the TOR browser. Some of the data is still in the process of being copied.

We've finished copying the sample data for you. Can you please tell me, are you only interested in data files or are you also interested in the decryptor? As we already wrote before, we strongly discourage using third-party solutions.

3rd party solutions - Various programs, the descriptions of which say that they can recover data, but this is not the case. Typically, the use of such third-party programs leads to the fact that our decryptor can no longer recover your data.

If you are ready to move on to the deal in the near future, then we can provide you with a discount. If you do not need a decryptor, then the discount will be slightly higher.

Good. We will be in touch.

Do I understand correctly that you do not need a decryptor?

This is just business, it makes no sense for us to lie or not fulfill obligations. If we do business this way, there will be no profit for us. In fact, you question is very strange - we think that the provided data is already enough to understand the seriousness of your problem. it's all about your reputation and possible damage to your customers. We have been in your network for more than 2 weeks and we think you understand that there was enough time to download even more information. You can also read about REvil on the Internet and find out that 500 gigabytes is a small leak, since sometimes several terabytes of data are downloaded. And also you will find out that if we can't reach the agreemnt, then we will have to publish some of the data in our blog. You should also know that in 5 days the amount will be doubled.

Do you want us to give you a discount of more than 90%? Of course this is impossible. I will give you a small example. The company is close to your profile, the annual turnover was 2.5 times less, as well as we had 2 times less data and we have already published some of the data in the blog - as a result, this company paid 4 million. They also did not need a decryptor - they were able to recover from the backups that we missed. Next comes simple math. What you read is either small companies or information with understated amounts. Most companies do not advertise the fact of hacking and payment.

Apparently you do not realize the seriousness of the situation and the consequences. Loss of reputation Loss of clients and possible litigation with them. Financial losses due to downtime that can take a very long time. Your data will also be seen by your competitors The stocks in the market will begin to fall, and this is clearly not to your investors' liking. And much more. You are a big, serious company - be realistic.

If you are ready to seriously discuss the deal in the near future, then we will be ready to slightly reduce the amount. If your new proposal is again frivolous, we will have to prepare a blog post with the first part of the data.

I recommend that you do not trust such reports. We don't know what information the Coveware report was based on. How many companies are using Coveware? What is the size of the company and what is their revenue? Was there a data leak? Or was the company able to recover on its own and the company was interested only in non-disclosure? Company profiles? And much more. We also recommend that you be extremely careful when contacting a company like Coveware. As practice shows, the task of such companies is to make money on the client's problem. Most often they use payment per hour. Therefore, they usually start to play for time during negotiations and thereby pull money from the client. They won't care about your data. And if the deal does not take place, then the data is published and companies like Coveware will do it anyway for this fact - they will still make money. They are often too confident that we will agree to any amount and will not publish the data, but you can take a look at our blog and see how many companies they faked in this way. It is also a frequent case when we publish the first part of the data - companies immediately go to the deal, understanding how serious everything is. Returning to the topic of statistics of payments and amounts - as you understand, the companies that ignite do not want publicity, so you rarely see news that the company paid 5-10-15-20 million. But this happens. Here is a public example for you, to which we have nothing to do, but I think the meaning will be clear: [REDACTED URL] This is a public event. The company did not want to pay, after which part of its data was published and as far as I know - after that the company quickly agreed to the deal. I could provide private evidence of other multi-million dollar deals, but of course I won't. We do business with integrity. All the more would you like it if in the future we would tell other companies about your case? If we come to a deal, no one will know about it, otherwise you will be another example for our other companies. As for the amount. I think you perfectly understand that you will incur large financial losses. You are already losing money and I don’t think you want it to continue like this. And now we are only talking about easy to work with. But do you understand that there will be other losses? Clients will find out about what happened to you and find out that their data has been published, including confidential. Including problems with their projects. I think it is not easy for them not to want to continue working with you, and they will also sue you. And probably it will also go about millions of claims. So what happens if competitors take advantage of the data we can publish? How will investors react to this? Believe me, there is enough data for the company to incur more serious losses and they will exceed the amount requested from us. We are not the first day in this business and we can conditionally calculate how much the company can and will be willing to pay. As well as possible losses of the company. Therefore, we offer an adequate amount and it does not include the discount that we can offer if the company conducts a correct and serious conversation, and is also ready to conduct a deal up to double the amount and publish the first part of the data. We are still waiting for a serious offer from you. Keep in mind that tomorrow we will be preparing the first publication for our blog regarding your company - we are going to publish it on Friday if we do not come to an agreement. The blog is followed by many media and as soon as a new entry appears there, after a few hours it appears on many news portals.

A link to our blog where you can check out the leaks of other companies that didn’t make the deal: [REDACTED URL] I also recommend that you familiarize yourself with this material in order to avoid mistakes: [REDACTED URL]

We will not be able to link the gmail account with the your company. LinkedIn account or Facebook of an employee or company? Phone call? After you provide us with a contact for communication, we will remove it from our correspondence so that no one can see it

We removed from the chat all the message where the name of your company was mentioned, as well as screenshots of the data, by which it was possible to determine which company could be discussed. We are waiting for your contact information to switch to another chat.

Okay. Let us carry out verification via Facebook or LinkedIn.

We can provide you with a new private chat without verification, but if we are confused by the correspondence in it, we will return to the main chat, where we are currently communicating.

Let me know as soon as you are ready to receive a password and instructions. After that, write to us in a new chat and we will remove the password and instructions from the main chat.

Yes, that will be enough.

did you receive instructions and password?

Why do we need this? We have removed all information that could help someone identify your company name.

Write to me where the evidence is left and I will delete it.

I see screenshots. I removed them.

Ready

I think we can start discussing the deal.

Good. We are in touch.

How are things going into the negotiation of the deal? Your time is coming to an end. If by tomorrow we do not agree on a deal, we will publish the first post on our blog. And also discounts will cease to be relevant. And we will already be discussing the next discount from the doubled amount, and as you understand, the amount in the end will be more than 9 million.

We all perfectly understand, but there are certain algorithms and deadlines in our work, which have proven their effectiveness more than once.

"As the board is considering options, do you have a new number so I can take to them board." - what number are we talking about?

If in the near future we come to an agreement, then I think we will be able to provide a discount of 10-15%.

But we will discuss the discount specifically when we receive an offer from the company. We do not recommend offering understated amounts - you must be realistic. Otherwise, as practice shows, negotiations are delayed, which leads to publications and an increase in the amount.

1) You can recover this data using the decryptor anyway. But if required, we will provide you with a link to all your data. 2) Yes, we will provide you with information on how we got into the company's network and how we got access to all the data. 3) We don't do that kind of thing. This will ruin our reputation. We will give you recommendations on how to avoid repeated intrusion (from other teams). 4) Why will we not save them - why waste resources on this? As soon as we receive payment, we will delete the data from all backup servers and it will remain on only one server so that you can download it if you need it. Then we will remove them from there. This is a business. If we leak, we will ruin our reputation and other companies will not pay us. 5) Our software is time-tested. This will not happen if you have not tried to restore data using third-party software.

Good. We will be in touch.