// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 78 messages exchanged over Unknown.
The initial ransom demand was $136.00. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 16 days ago — Message 1/78
hello, i have read your site and i have informed my boss.
He asked if we can pay you 8000 euro to your bank account to be able to
take our files back but how can we be sure you will help us?
[REvil] — 16 days ago — Message 2/78
Hello.You offer is very small.Not interested.
[Victim] — 16 days ago — Message 3/78
we have lost about 41 days of data since our last backup in some of our
systems. Some systems have been fully recovered so we can start working
but it will take us more than 2 weeks to do manual work for adding
thing to our system. My boss told me to figure out a way to make a deal
with you so we can pay you. that way you can help us recover the lost
days faster instead of manual work. Please help us recover our data
faster. I now work with my technician to see the faster way to start
working, so an option to work with you would be best if it is faster.
[REvil] — 16 days ago — Message 4/78
Your offer looks ridiculous.Make a really interesting offer to my boss.
[Victim] — 15 days ago — Message 5/78
why you say ridiculous sir? i am trying to find a way to make this work for both sides so it has some value to us.
It would be great if you have the solution and we can get our files
faster because my technician now wants to format computers and start
from our latest offline backup to set things up clean.
[REvil] — 15 days ago — Message 6/78
Then ask your technician if they can help you with personal data leaks.
Also, in case of non-payment, your information will be published in our blog and disseminated in the media.
[Victim] — 15 days ago — Message 7/78
can we find a way to recover our files faster than our technician can
recover them? Our technician said that we need 2-3 weeks of manual work
for formatting, setting up and manual input to get most of our systems
back to work. This is a long time and it involves some costs from our
side. How much time your service will take to recover our systems back
to normal and what is the process? Our technician works hard in the last
two days but his process is very slow and we will have to involve some
people for manual work. This is time consuming. I want to understand if
your service is faster first of all.
[REvil] — 15 days ago — Message 8/78
Everything happens automatically after payment.
[Victim] — 15 days ago — Message 9/78
so you mean that within one day we will have all files restored and all systems running as they were before the problem?
[REvil] — 15 days ago — Message 10/78
Yes , all right.
[Victim] — 15 days ago — Message 11/78
that is a good option because if we are able to move faster with your
service this will have important impact in our office. Now regarding
payment, Do you believe that we can work together to find a viable
solution to the cost so we can select your service instead of manual
work that will take us a long time?
[REvil] — 15 days ago — Message 12/78
Make a really interesting offer to my boss. And we can work.
[Victim] — 15 days ago — Message 13/78
the problem is that at this time the Covid situation in our country has
severely impacted all the business. greece is under a heavy financial
crisis for over 10 years and our office is closed due to government
lockdown. cashflows are probably the worse in years. due to crisis we
all work remotely and this year probably will be the worst in decade. So
cashflows are really limited. can we agree on 12000euro paid in your
bank account so you can help us?
[REvil] — 15 days ago — Message 14/78
First, we do not accept payments to a bank account.
Secondly, our boss is unhappy with your proposal.
[Victim] — 15 days ago — Message 15/78
can we please find a solution to this payment? I want to express that
since your solution is faster than our technician we want to work with
the faster solution but it should be an amount that we can pay fast and
get our files. Our technician said that he needs only time to get us up
and working along with manual work. But time is important here for my
boss. Please discuss with your boss to settle to an amount that we can
pay. Please consider that we need also time to see how your payment will
be done, so as the time passes your services will not add any value. We
want to work with you to purchase your professional services to help us
recover faster than our technician.
[REvil] — 15 days ago — Message 16/78
My boss is ready to give you a 20% discount on fast payment.
[Victim] — 15 days ago — Message 17/78
Thank you, in that case we are ready to pay 12000 - 20% = 9600euro. We
will have the money in 3 days. we appreciate it. let us know how you
want us to do the payment.
[REvil] — 15 days ago — Message 18/78
Friends, you apparently did not understand, we are ready to provide you with a 20% discount from the original price.
[REvil] — 15 days ago — Message 19/78
170000-20%=136000 $
[Victim] — 15 days ago — Message 20/78
how we are supposed to find this money? our offices our closed and
during covid this money is not something that can be found. could we
please discuss a realistic amount?
[REvil] — 15 days ago — Message 21/78
Make a really interesting offer to my boss. 12k euro its small offer.
[Victim] — 15 days ago — Message 22/78
can you please adjust your offer to greece so we can pay you and get
our files faster? the money you ask is unfortunately far more than my
boss capabilities. 12.000 seems little for you? the average salary here
in greece is 500euro per month. Please sir lets discuss an offer that
can be paid fast. if we need 10 months to find the money you request
there is no use for the files. right now we need to recover faster.
please talk to your boss. we can find the money i suggested in 3 days and send it to you if you agree
[REvil] — 15 days ago — Message 23/78
Your offer is too small to be considered.Make a really interesting offer to my boss.
[Victim] — 15 days ago — Message 24/78
tomorrow my technician will have a clear view of the main systems that
are up and running so we can estimate and focus on the things we are
missing from backups. He said that most systems are in place from our
cloud provider, so i will be back to you if we need your help with your
services. i thought that we could have your help on this so we can use
your service to launch faster but our technician said we should wait for
his results recovering from cloud and then see if anything missing so
we can focus on that.
[REvil] — 15 days ago — Message 25/78
If you do not pay, your files will be published on the blog and
transferred to the media, the rest of the data will be sold. In any
case, it will affect your reputation, think about your clients, fines
and other troubles that await you.
We you a solution to avoid all of this.
[Victim] — 15 days ago — Message 26/78
Sir, we just need to save time restoring our files. If you have a
solution to this let me know if we can work together. i just want to
save time to launch faster. this is our focus her.e. but I believe this
will take also time because you cannot understand that time is important
here. If we could have the files yesterday it would make a great deal
for the office. we are losing more than 1000euro every day we delay.
[REvil] — 15 days ago — Message 27/78
wait for answer.
[Victim] — 14 days ago — Message 28/78
ok
[REvil] — 14 days ago — Message 29/78
Everything my boss has to offer $ 136k.
[Victim] — 14 days ago — Message 30/78
you are still referring to thousands of dollars sir?
[REvil] — 14 days ago — Message 31/78
Yes, all right.
[Victim] — 14 days ago — Message 32/78
I told you that our office is in greece and if you read the news we are
closed by lockdown and it was the worst year for any office here in
greece so such an amount unfortunately is not something that is
feasible.
So please consider if you can really help us work with you in some way.
We have about 2 days until weekend to decide because new equipment has
been ordered to set everything from scratch. Hopefully the most
important system from our operation is up and running today. We are
missing a lot of data still and in 1=2 days we will have a total
estimation of losses that require manual work.
Thank you for communication.
[REvil] — 14 days ago — Message 33/78
This is my boss's last sentence.
[Victim] — 14 days ago — Message 34/78
in 1-2 days we will have a meeting with our outsourced technician to
check everything that is missing. all depends from the cost. estimation
of lost data. still your cost is far too high to be able to pay. I still
tell you that we are willing to keep our options open and your service
of instant full recovery is still an option for us. But we need to work a
lot on the price to be able to see it as an option.
[REvil] — 14 days ago — Message 35/78
Your price is still too low for this amount of work.
[Victim] — 14 days ago — Message 36/78
unfortunately our estimation was wrong. we had a briefing from our
technician right now. there is a lot more work to be done, not only 1-2
weeks to do manual work. probably we will need more than 30 days. our
technician said that the attack was well planned and we estimate lots of
effort to recover from manual work. also we will have to delay a lot
because of the malware is still inside. So we will have to replace
software and probably hardware until it is fully cleaned. Let me know,
if we work with your solution, the malware will be gone from our network
?
[REvil] — 14 days ago — Message 37/78
Yes of course.
[Victim] — 14 days ago — Message 38/78
our technican asks how you did the attack, through remote desktop or mail?
[REvil] — 14 days ago — Message 39/78
After payment we will conduct an audit for you.
[Victim] — 14 days ago — Message 40/78
ok that is an added value. an audit would cost about 5000-10000euro. So
you will decrypt files, our systems will be up and running in 1 day,
our systems will not contain malware and also you would conduct an
audit. correct?
[REvil] — 14 days ago — Message 41/78
Audit means we will tell you how we infected your network.For your large network, this will cost a lot more.
[Victim] — 14 days ago — Message 42/78
how much this would cost? Now i am helping my boss estimate the overall help of your service.
[Victim] — 14 days ago — Message 43/78
greek companies for our audit gave us an offer between 5000-10000 euro.
don't forget that in greece such services are much cheaper than US.
[Victim] — 14 days ago — Message 44/78
according to my boss we are ready to pay much bigger amount to get at
least some of your services. But we would like to ask you a very serious
discount to your valuable services in order to reach a deal. We
understand that you are trying to extract as much money as you can from
this deal, but the amount you demand right now is not something we can
discuss. We want to work with you and we can find more money. Try once
more to discuss with your boss. if we reach a deal of around 45.000euro
we will manage to find the amount in some days. and we can send it to
you in some installments.
[REvil] — 14 days ago — Message 45/78
1-We will check how we got into your system.
2-Get the whole network decoder.
3-All sensitive data will be deleted from our servers.
4-Let's clean your network of our virus.
5-You will restore your system in one day.
6-Neither reputation nor customers will suffer.
It all depends only on your actions.
We have been the administrators of your network for a long time and we know that you can pay 500k.
We have made a huge discount and look forward to serious offers from you.
[Victim] — 14 days ago — Message 46/78
ideally we would like from you the following:
1. get the last data from one virtual machine to save lots of manual work
2. stop your attacks to our network so we can do business because we lose more than 1000euro/day as we delay.
can we agree on 55.000 so we can end this before weekend? we will show some good will to send you some money as soon as we can.
[REvil] — 14 days ago — Message 47/78
wait for answer.
[Victim] — 13 days ago — Message 48/78
also we have serious problem with monero. please check if you can give
us bitcoin wallet as our accountant said that we have problem with
monero.
[REvil] — 13 days ago — Message 49/78
Yes of course.
[Victim] — 13 days ago — Message 50/78
lets work on the price. so if you accept on 55k we can find the money
and we will use bitcoin to send you asap. now our accountant tries to
work with the cryptocurrency thing.
[Victim] — 13 days ago — Message 51/78
if we send you bitcoin how much time it takes for you to receive it and send us the solution?
[REvil] — 13 days ago — Message 52/78
30 minute
[REvil] — 13 days ago — Message 53/78
but we cant accept 55k
[Victim] — 13 days ago — Message 54/78
please sir give us a price we can pay today because the price you
requested will take lots of time. give us your best shot so we can move
the process today
[REvil] — 13 days ago — Message 55/78
wait for answer.
[Victim] — 13 days ago — Message 56/78
please try to match what we have so we can find the funds easily and
move faster because time is important for us so that we don't have to
setup all the network again from scratch. lets try to match the price of
the current offer because we have these funds available now, so if its
close to that we might be able to find the funds today. our accountant
said that it will take days to find a lot of extra money because it is a
matter of cash flow, exchanges, banks and stuff that we don't
understand.
[REvil] — 13 days ago — Message 57/78
Ok, we take you the last step to meet $ 100k.
[REvil] — 13 days ago — Message 58/78
Price update refresh the page.
[Victim] — 13 days ago — Message 59/78
the price of 100k$ is about 85k euro. it is a price that i think we can
meet. i want to talk with our accountant to check how fast we can find
this amount and start the process to find bitcoin
[REvil] — 13 days ago — Message 60/78
Okay we wait
[Victim] — 13 days ago — Message 61/78
Just to repeat our deal. Once you receive the requested amount:
1. You will stop any bad actions to our network
2. You will provide decryptor that will decrypt all computers in our network
3. You will help us if we have technical problems
4. You will stop any other bad actions regarding our office
5. You will provide security audit for our office
Correct?
[REvil] — 13 days ago — Message 62/78
Yes , all right.
[Victim] — 13 days ago — Message 63/78
our accountant has some serious problems with transferring the money on time.
Can you please extend the time so we can be able to pay the greed amount in bitcoin?
[REvil] — 13 days ago — Message 64/78
How much time do you need ?
[Victim] — 12 days ago — Message 65/78
it might be from today until Wednesday for the processing to be done
since we our accountant has never done it before. He thinks he can get
all the amount we have agreed but he is missing some for now and
probably it can be found during the day. And then he needs to transfer
the funds so that the processing to bitcoin happens. So i think until
Wednesday/Thursday or maybe much earlier if all is done today.
[REvil] — 12 days ago — Message 66/78
Okay we give until Wednesday.
[Victim] — 12 days ago — Message 67/78
thank you. expect update from our side.
[Victim] — 12 days ago — Message 68/78
can you please update the timer?
[REvil] — 12 days ago — Message 69/78
Okay.
[Victim] — 12 days ago — Message 70/78
we will do test payment first to see if you receive it ok? will it show in your system automatically?
[REvil] — 12 days ago — Message 71/78
No problem.
[REvil] — 12 days ago — Message 72/78
Yes
[REvil] — 12 days ago — Message 73/78
Wait for 3 confirmations by Bitcoin system, it takes ~30 min
[REvil] — 12 days ago — Message 74/78
To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.
CMD commands:
UniversalDecryptor.exe -full
UniversalDecryptor.exe -path "C:\folder"
UniversalDecryptor.exe -file "C:\folder\file.txt.random_ext"
* decryptor with -full option will decrypt all with default params.
If you use it as gui application, mI recommend you choose "create
backups" option. If you use decryptor without this option, you should
not interrupt decryption process, otherwise some files will be
irreversibly damaged.
[REvil] — 12 days ago — Message 75/78
1. Backup (provided there is no direct access to copies from local machines)
2. It is important to regularly evaluate which employees have access and
permission to which resources. Most employees do not need a high level
of domain access.
3. Use professional e-mail and web security tools that can analyze the
content of websites, email attachments, and files for malware.
4. Keep your operating system, software and all devices updated on an ongoing basis.
5. Antivirus software, IPS (intrusion prevention systems) and corporate
email protection have been updated to the latest version.
6. Divide your network into specific security zones so that malware caught in one zone cannot spread to others.
7. Security training courses to teach employees not to download files,
open email attachments, or follow unknown links in messages.
[REvil] — 12 days ago — Message 76/78
Your network was accessed through your VPN.
[REvil] — 12 days ago — Message 77/78
All your data was automatically deleted after receiving payment.
Our presence on your network will soon be terminated.
[Victim] — 12 days ago — Message 78/78
how long have you been in our network?