// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 39 messages exchanged over Unknown.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Victim] — 4 days ago — Message 1/39
We take you seriously and we want to work something out but $50k is too
much for us to get our computers back. COVID ruined our finances and we
have entire lots of cars from last year sitting outside that no one is
interested in because no one is driving anymore. Can we work out a
reduction in the price?
[REvil] — 3 days ago — Message 2/39
Hello , my boss can offer 20% discount
[Victim] — 3 days ago — Message 3/39
Thanks for working with us. I'm not sure if that's going to be enough
of a discount but I will talk with my boss and see what we can do. We
see different names for the notes on each computer with different keys
in them. Does the price include unlocking all of our computers?
[REvil] — 3 days ago — Message 4/39
for all network
[Victim] — 2 days ago — Message 5/39
Sorry we haven't reached out in a little while but we have been trying
to figure all this out while keeping the business running. We want to
make sure you are able to decrypt more than just one system. Can you
decrypt these files to show you can?
[Victim] — 2 days ago — Message 6/39
File 1
[Victim] — 2 days ago — Message 7/39
File 2
[REvil] — 2 days ago — Message 8/39
file
[REvil] — 2 days ago — Message 9/39
file
[Victim] — 2 days ago — Message 10/39
Pulling these down now. I talked to my boss and he said we can't pay in Monero do you accept Bitcoin?
[REvil] — 2 days ago — Message 11/39
Of course , btc enabled
[Victim] — 2 days ago — Message 12/39
Ok that's good to know. My boss wanted to see if you would be willing
to let us pay $10,000 for the decryption. We know it's not what you are
asking for but this is short notice and we are trying to do what we can
to find available cash.
[REvil] — 2 days ago — Message 13/39
not interested
[Victim] — 2 days ago — Message 14/39
OK, my boss had someone willing to loan him some money if he needed to.
Will you take $20,000? We could buy the Bitcoin and get you the money
in 24 hours.
[REvil] — 2 days ago — Message 15/39
25k and okay not lower
[REvil] — 2 days ago — Message 16/39
price update
[Victim] — 2 days ago — Message 17/39
OK, let me talk to my boss and get back to you.
[Victim] — 2 days ago — Message 18/39
Just so I'm clear that payment would get us a decryptor for all our encrypted computers?
[REvil] — 2 days ago — Message 19/39
of course
[Victim] — 2 days ago — Message 20/39
OK we are working on getting the money together right now. Did you take
any files from our computers? And how fast after we pay could we get
the decryption software?
[REvil] — 1 day ago — Message 21/39
few minutes
[Victim] — 1 day ago — Message 22/39
OK thats good to know but my boss still wanted to know about whether or not you guys took our data before we sent the money.
[REvil] — 1 day ago — Message 23/39
We took your data
[Victim] — 1 day ago — Message 24/39
What did you take?
[REvil] — 1 day ago — Message 25/39
It will take more than a month to analyze the data.
If all you need is a data, leave this chat.
[Victim] — 1 day ago — Message 26/39
We still want to move forward with payment for the decryptor we are
just trying to understand what data was taken because it could impact
our customers and we care about them. If you can give us a list of files
it would help us a lot. Can you confirm that the bitcoin wallet is
still [redacted]? Will you help us if something
goes wrong with the decryption?
[Victim] — 1 day ago — Message 27/39
We want to make payment today if you can confirm the wallet for us. We don't want to send it to the wrong place.
[REvil] — 1 day ago — Message 28/39
[redacted] yes it is the right adress
[Victim] — 1 day ago — Message 29/39
thanks for verifying.
[Victim] — 1 day ago — Message 30/39
we are getting ready to make payment. Are you able to provide us a Dir listing of what you exfil'd?
[REvil] — 1 day ago — Message 31/39
of course
[Victim] — 17 hours ago — Message 32/39
It took us longer yesterday than we thought to get the money together.
We should be able to buy the bitcoin and send you payment today.
[REvil] — 17 hours ago — Message 33/39
ok we wait
[Victim] — 9 hours ago — Message 34/39
OK, it was difficult to get everything done on the weekend since the
banks were closed most of the time but we should be making payment very
soon. I just wanted to confirm that the price is still $25,000. The site
shows 0.77 BTC which is $25,569 and there is a reference to Bitcoin
(+10%). As long as we pay the agreed $25,000 you will decrypt all of our
files on all computers right?
[Victim] — 9 hours ago — Message 35/39
OK, it was difficult to get everything done on the weekend since the
banks were closed most of the time but we should be making payment very
soon. I just wanted to confirm that the price is still $25,000. The site
shows 0.77 BTC which is $25,569 and there is a reference to Bitcoin
(+10%). As long as we pay the agreed $25,000 you will decrypt all of our
files on all computers right?
[Victim] — 8 hours ago — Message 36/39
OK we sent the 0.77 Bitcoin, please confirm as soon as you get it.
[REvil] — 5 hours ago — Message 37/39
confirm
[REvil] — 5 hours ago — Message 38/39
yes for all network
[REvil] — 5 hours ago — Message 39/39
waiting 3 confirmations