// Ransomware Negotiation Transcript

REvil Ransomware Negotiation — Redacted Organisation

10Messages
UnknownDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a REvil ransomware negotiation with a redacted victim organisation. The negotiation consisted of 10 messages exchanged over Unknown.

The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[REvil] — 1 day ago — Message 1/10
Hello, We are REvil Group. We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $5.500,000. Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company. You can find more information about REvil group in Google. Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation, abandonment of clients, drop in limits. But don't panic! We are in business, not in war. We can unblock your data and keep everything secret. All we need is a ransom. In this case, you also get: a security report, a complete tree of compromised data files, permanently deleting downloaded data, support with tips on unlocking and protecting.
[Victim] — 18 hours ago — Message 2/10
I'm a little confused. Your message says 3 days but your website says 19 hours. Your decryption tool doesn't do us any good since we are in the process of recovering, but you may interest us with the data that you say you have taken. Can you show us what you took?
[REvil] — 18 hours ago — Message 3/10
You were too slow when trying to assess the damage and did not write to us
[REvil] — 18 hours ago — Message 4/10
Of course wait for answer
[Victim] — 13 hours ago — Message 5/10
Will we have this today? Please increase the timer, there's no way we can make any payment in only 14 hrs
[REvil] — 8 hours ago — Message 6/10
3 day added
[REvil] — 8 hours ago — Message 7/10
Yes we prepaid proof of hack
[Victim] — 8 hours ago — Message 8/10
Okay please send the proof of what you took from our network
[REvil] — 7 hours ago — Message 9/10
ok
[REvil] — 1 hour ago — Message 10/10
[REDACTED URL] pass for download : [redacted] pass for archive : [redacted] [REDACTED URL]
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →