// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation.
The negotiation consisted of 28 messages exchanged over Unknown.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[REvil] — 10 days ago — Message 1/28
Hello, We are REvil Group. We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $3.000,000. Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company. You can find more information about REvil group in Google. Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation, abandonment of clients, drop in limits. But don't panic! We are in business, not in war. We can unblock your data and keep everything secret. All we need is a ransom. In this case, you also get: a security report, a complete tree of compromised data files, permanently deleting downloaded data, support with tips on unlocking and protecting.
[Victim] — 5 days ago — Message 2/28
Hello there. You encrypted our network and we are stuck. But the amount on your website must be a mistake. We are a tiny company in a very rural state that just finally came out of lockdown. There is no way we can ever pay this much. Is there something different we can work out?
[REvil] — 5 days ago — Message 3/28
Hello we know all about your company. My boss can offer 20% discount
[Victim] — 5 days ago — Message 4/28
Thanks for getting back. And thank you for lowering the price. But this is still really really too much money. If you know all about our company, you know things are not so good the past five years. What documents did you take from us?
[REvil] — 5 days ago — Message 5/28
we prepare proof of hack
[REvil] — 5 days ago — Message 6/28
offer your price and my boss will review it
[Victim] — 5 days ago — Message 7/28
we are waiting for the proof pack, also we have taken your discount to our management team.
[REvil] — 4 days ago — Message 8/28
small example
[REvil] — 2 days ago — Message 9/28
Looking forward to your reply today or we start publication in our blog
[Victim] — 2 days ago — Message 10/28
We apologize for the delay. We are working on getting you an offer, but right now we are struggling to get the cash together to make you happy. We do not want to insult you with a low number, but as I mentioned... things have not been so good the past few years. Since you know all about us, you know that this is true. We will get you something to offer you first thing tomorrow. Is that okay?
[REvil] — 2 days ago — Message 11/28
we wait
[Victim] — 22 hours ago — Message 12/28
Okay I spoke to my boss. We really don’t want you to publish anything, but we are afraid we will never be able to make a deal with you because the price is so high. We just don’t have that kind of money. Here is what we do have. First, my boss has cancelled the reopening of the office for the rest of the year, which was earmarked at $30,000. It turns out we have an insurance policy that could help out as well. (I was not aware of this). The insurance is $100,000. Finally, my boss will personally contribute his own family money of $20,000. That is $150,000! I know it is not as much as you wanted, but please look at what we are doing here. My boss also wanted me to ask you to look at the financial records that you stole from us. He wanted me to tell you that if you look at those documents, they show that our company has a “negative returned earnings value”. I don’t know what that means, but my boss said that as a businessman, you would understand
[REvil] — 22 hours ago — Message 13/28
not interested
[REvil] — 22 hours ago — Message 14/28
we start published your data
[Victim] — 18 hours ago — Message 15/28
Please man. That’s not fair! My boss is going to kill me. You have to give us more time… please! I am sure we can come up with more money, but you're demanding so much from us. Is there any way we can prove to you our financial situation. I can email you our tax records or something from our accountant? You have to believe me man… Please give me more time…
[REvil] — 18 hours ago — Message 16/28
Your suggestions don't even come close to meeting our needs
[REvil] — 15 hours ago — Message 17/28
300k and okay if you pay quickly
[Victim] — 10 hours ago — Message 18/28
Oh wow, that is awesome. We are very appreciative of the huge discount. We want to get this behind us as fast as possible We can probably get $300,000, but we don’t have it today. We could probably get it by Monday. If you want something today, I know we have exactly $264,766 because I am looking at an email right now. Can we can get you $264,766. If you really need $300k, it’ll take some more time. Can we just pay you the $264,766 in the next 24 hours and be done with this?
[REvil] — 10 hours ago — Message 19/28
300k last price your accept it or we start published data
[Victim] — 7 hours ago — Message 20/28
We will find the money somewhere. We agree to 300,000 USD. Will you provide the decryption tool, return our data and then delete it after? How do we pay you?
[Victim] — 7 hours ago — Message 21/28
Please also decrypt attached sample file
[REvil] — 3 hours ago — Message 22/28
btc or xmr
[Victim] — 3 hours ago — Message 23/28
btc
[Victim] — 3 hours ago — Message 24/28
test
[Victim] — 3 hours ago — Message 25/28
the earlier file you sent was empty so sending new test files.
[REvil] — 3 hours ago — Message 26/28
file
[REvil] — 3 hours ago — Message 27/28
file
[REvil] — 3 hours ago — Message 28/28
btc enabled , price update