// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 42 messages exchanged over Unknown.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[REvil] — 21 days ago — Message 1/42
hi
[Victim] — 20 days ago — Message 2/42
Hi, are you able to help us understand what happened?
[REvil] — 20 days ago — Message 3/42
Hello , you network encrypted and data was stolen
[Victim] — 20 days ago — Message 4/42
ok, we understand. Will you please tell us how you got into our network?
[REvil] — 20 days ago — Message 5/42
We will tell only after payment
[Victim] — 19 days ago — Message 6/42
Hi, you said our data was stolen. What do you mean? How much was taken? Thank you.
[REvil] — 19 days ago — Message 7/42
near 140Gb of data
[REvil] — 19 days ago — Message 8/42
You can check in your logs , we upload data in our cloud and transfer data to our servers .
[Victim] — 19 days ago — Message 9/42
thanks for the information. Would you please provide a sample of the data? We need to review this and show our management. Thank you
[REvil] — 19 days ago — Message 10/42
wait for answer
[REvil] — 19 days ago — Message 11/42
examples
[Victim] — 18 days ago — Message 12/42
Thanks for the files. Management is reviewing them. Our team needs to understand how the decryption software works. Does the same decryptor work on every machine?
[REvil] — 18 days ago — Message 13/42
One decoder, you can decode all machines
[Victim] — 18 days ago — Message 14/42
Thanks! The machines have different encrypted file extensions. How does that work for the decryptor tool? Do you need all of the extensions? Please explain how that works.
[REvil] — 18 days ago — Message 15/42
we send universal decryptor and all instruction
[Victim] — 18 days ago — Message 16/42
You do not need extensions from us?
[REvil] — 18 days ago — Message 17/42
no , you will get universal decryptor for all extension
[Victim] — 18 days ago — Message 18/42
Thanks for the information. We are working with you to try to understand the process. We have a lot to review given this situation. It is now the weekend. Would you please add more time to the clock? Thank you for your help.
[REvil] — 18 days ago — Message 19/42
of course
[REvil] — 18 days ago — Message 20/42
update
[Victim] — 16 days ago — Message 21/42
Hi, our team has questions about the trial decryption. Does the file we upload need a certain extension? Can it come from any machine? thanks
[REvil] — 16 days ago — Message 22/42
Hello you can send test file to this chat
[Victim] — 15 days ago — Message 23/42
Thank you. We will locate a few files to test. Also, the current price is much too high for us to pay. As you can see in the files you took, we have many financial problems including a recent bankruptcy, and we do not have insurance. Please help us with a lower price.
[REvil] — 15 days ago — Message 24/42
My boss can offer 20% discount if your pay fast
[Victim] — 15 days ago — Message 25/42
Thank you for the discount. We want to work with you but this is still much too expensive. Will your boss please give us a larger discount since we have all of those financial problems? Thanks
[REvil] — 15 days ago — Message 26/42
We know your financial problems, but we also know how much you earn.
20% is all we have to offer
[Victim] — 15 days ago — Message 27/42
Ok, would you please give us more time on the clock so we can try to reach an agreement with you. This is a difficult situation for our team and we are in good faith trying to reach a resolution. Thank you
[REvil] — 15 days ago — Message 28/42
2 days added
[Victim] — 14 days ago — Message 29/42
Hi, thanks for the extra time. Would you please decrypt this png file. Thanks
[REvil] — 14 days ago — Message 30/42
file
[Victim] — 13 days ago — Message 31/42
Thanks for the decryption test. Please understand we are not in the financial position to pay this high price. Will you please ask your boss again what he can do to help us?
[REvil] — 13 days ago — Message 32/42
20% discount if you pay fast
[REvil] — 12 days ago — Message 33/42
so - time ending . What we should do?
[Victim] — 12 days ago — Message 34/42
The price with only a 20% discount is still $2million USD. This is much too high for us to afford. We do not have insurance. Are you able to give us a higher discount? Thanks!
[REvil] — 12 days ago — Message 35/42
Make an interesting offer and my boss will consider it.
[Victim] — 11 days ago — Message 36/42
Hi, we talked to our management and they asked a couple questions today. Do we get all of our data back before you delete it? Will you tell us exactly when and how you got into our network? Please let us know..
[REvil] — 11 days ago — Message 37/42
Everything can be restored in a few hours. You will also receive a complete list of files.
[REvil] — 11 days ago — Message 38/42
Yes, we can help you secure your network
[Victim] — 10 days ago — Message 39/42
Hi. Our management is still evaluating the situation and the costs. If we can come to a reasonable agreement, would it be possible to pay in bitcoin? Our understanding is that XMR is more difficult for us to get. We have to keep our costs down.
[Victim] — 10 days ago — Message 40/42
Hi. Our management is still evaluating the situation and the costs. If we can come to a reasonable agreement, would it be possible to pay in bitcoin? Our understanding is that XMR is more difficult for us to get. We have to keep our costs down.
[REvil] — 10 days ago — Message 41/42
Of course
[REvil] — 13 minutes ago — Message 42/42
hi, Tomorrow we upload your data to auction .and after sale start spam attack to your partner with your data