// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 31 messages exchanged over Unknown.
The initial ransom demand was $500,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[REvil] — 9 days ago — Message 1/31
Hello,
We are REvil Group.
We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $500,000. Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company.
You can find more information about REvil group in Google.
Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation, abandonment of clients, drop in limits.
But don't panic! We are in business, not in war.
We can unblock your data and keep everything secret. All we need is a ransom.
In this case, you also get: a security report, a complete tree of compromised data files, permanently deleting downloaded data, support with tips on unlocking and protecting.
[Victim] — 7 days ago — Message 2/31
Hello
We are interested in resolving this situation. Can you provide some sample information on what files were accessed and taken?
[REvil] — 7 days ago — Message 3/31
Hello , wait for answer
[Victim] — 7 days ago — Message 4/31
Some sample file for decryption test
[REvil] — 7 days ago — Message 5/31
file
[REvil] — 7 days ago — Message 6/31
file
[REvil] — 7 days ago — Message 7/31
file
[REvil] — 7 days ago — Message 8/31
Extract:[redacted]
Download:
[redacted]
[REDACTED URL]
[REDACTED URL]
[Victim] — 7 days ago — Message 9/31
Thank you kindly. What can we do about discount of the price? 500 is beyond our capacity to pay.
[REvil] — 7 days ago — Message 10/31
my boss can offer 20% discount for fast payment
[Victim] — 5 days ago — Message 11/31
Hello - Your website was unreachable today.
We looked into available on-hand funds but we cannot do 400k. We have $124k available on-hand that we can pay you for this situation. Can I give you my email in case this chat goes down again? how do we talk? How do I know if we pay that your site will not come down and we never get confirmation of data being deleted or the decryptors?
[REvil] — 5 days ago — Message 12/31
Our site will not be disabled, you do not need to worry about it.
But your offer is too low, we are ready to take one more small step forward, but 300k is our last offer.
[Victim] — 5 days ago — Message 13/31
Hello - 300k is not possible for us. We do not have that kind of cash on hand even if we maxed our personal credit cards. I need to go back and figure out what we can do.
[REvil] — 5 days ago — Message 14/31
The price below is not interesting to us
[Victim] — 5 days ago — Message 15/31
We spoke to a few crypto places and with their fees, we can go up to 280k but in btc only. we are short 20k we cannot make it up sorry. Also, I want to ensure if we reach agreement, that you will come through on your side on the promises you are making. specifically, we need you to give us the decryptors and that they will work and if there are technical support issues, that you will help resolve. Also, that all our data will be deleted and you will provide some confirmation of deletion and I would also like to see the full listing of what you took. This is a lot of money for our company, you have to understand and I do not want to be attacked again, so I want your word that REvil will not attack us again and that you can tell me what I need to do to block whatever way you come in. If you are in agreement tell me what is "Bitcoin Wallet ID to send BTC" as my broker suggested. I need your assurance though.
[REvil] — 5 days ago — Message 16/31
okay we agree and confirm
[REvil] — 5 days ago — Message 17/31
btc enabled , price update
[Victim] — 5 days ago — Message 18/31
Hello - ok thank you, we are working with a bitcoins broker to do transfer today
[REvil] — 5 days ago — Message 19/31
ok
[Victim] — 4 days ago — Message 20/31
Hello - the broker just sent 7.670 bitcoins. Please confirm and provide the decryptor, thanks
[Victim] — 4 days ago — Message 21/31
Hello - ok, we downloaded the decryptor. Please send the full listing of what you took, how we were breached and the confirmation of deletion of our data. Thank you.
[REvil] — 4 days ago — Message 22/31
Wait for answer
[REvil] — 4 days ago — Message 23/31
To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.
CMD commands:
UniversalDecryptor.exe -full
UniversalDecryptor.exe -path "C:\folder"
UniversalDecryptor.exe -file "C:\folder\file.txt.random_ext"
* decryptor with -full option will decrypt all with default params.
If you use it as gui application, mI recommend you choose "create backups" option. If you use decryptor without this option, you should not interrupt decryption process, otherwise some files will be irreversibly damaged.
[REvil] — 3 days ago — Message 24/31
file
[REvil] — 3 days ago — Message 25/31
file
[Victim] — 2 days ago — Message 26/31
Hello - thanks. Can you also provide the full listing of what you took, and how we were breached, appreciated
[REvil] — 2 days ago — Message 27/31
Full listing was deleted with all your files
[REvil] — 2 days ago — Message 28/31
Spam attack
[REvil] — 2 days ago — Message 29/31
1) A spam campaign with a virus file were sent to employees of your domain
2) Once user clicked the file, our virus payload was installed on the computer
3) Using special tools the computer was scanned and all user authorization data
4) This authorization data was used to access to the [redacted] network remotely
5) Next we scanned your network and found a vulnerable server with RCE, we used this RCE to execute our payload and gather full access to the server
6) Next we used special security tools to dump all possible passwords from the server
7) We used those passwords to gather access to other network elements until we accessed your domain controller
8) Specially designed keyloggers were installed to the IT stuff machines, which helped us to gain access to the whole IT infra
9) We modified your antivirus configuration the way, it would not detect our presence on the IT network
10) After gaining all possible IT access data, we also found the way to connect to the remaining branches of the company
11) As soon as we gathered access to all the IT network, we used specially crafted tools to collect all valuable data
12) Upon data fetch completion, we launched our locking software across some on your IT systems, we didn't put much pressure on it, just wanted you to know that your data was leaked.
[Victim] — 2 days ago — Message 30/31
Hello - thanks
[Victim] — 2 days ago — Message 31/31
We have a technical question - we've decrypted the Domain Controllers DC01 and DC02, but we're having issues with them as they are not functioning as Domain Controllers. Is it possible these were damaged in some way during the breach? Could you tell us know how to fix them? thanks