// Ransomware Negotiation Transcript

REvil Ransomware Negotiation — Redacted Organisation

23Messages
UnknownDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a REvil ransomware negotiation with a redacted victim organisation. The negotiation consisted of 23 messages exchanged.

The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Victim] — 21 days ago — Message 1/23
How can i trust that if i pay, you will provide the decryptor? How long does the process take to get the decrpytor and how long then will it take me to decrypt the files?
[REvil] — 21 days ago — Message 2/23
Hello. The decryptor is obtained automatically after payment.
[REvil] — 21 days ago — Message 3/23
Also, you can read about us in the internet who we are, there enough information that will get you out of any doubt.
[Victim] — 21 days ago — Message 4/23
Some of the read me files have different text in them, will the decyptor decrypt them all?
[REvil] — 21 days ago — Message 5/23
Yes.
[REvil] — 20 days ago — Message 6/23
Hello
[Victim] — 14 days ago — Message 7/23
Hi, how can be sure if payment is made that the decrypting software will be provided?
[REvil] — 14 days ago — Message 8/23
We value our reputation and we have proved ourselves over a long period of time. We have a 100% guarantee after the transaction is completed that you will receive the decryptor and your data and information about you will be immediately deleted.
[Victim] — 14 days ago — Message 9/23
Can I upload you a file to prove that you can decrypt it?
[REvil] — 14 days ago — Message 10/23
Yes
[Victim] — 14 days ago — Message 11/23
Here is the file
[REvil] — 14 days ago — Message 12/23
File
[Victim] — 14 days ago — Message 13/23
Yes it works. I will try to find a way to buy xmr.
[REvil] — 14 days ago — Message 14/23
Or u can simply buy monero on this exchanges and withdraw on ur own wallet and send to us. [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] and there are all of the ways to get monero [REDACTED URL]
[Victim] — 14 days ago — Message 15/23
Now I see that some of the files are deleted. How to restore them?
[Victim] — 14 days ago — Message 16/23
All this exchanges that you sent require a lot of time to transfer fiat and buy XMR on them. I'm trying to find a faster way. Can you postpone the time for payment a little bit?
[REvil] — 14 days ago — Message 17/23
Okay , we added.
[Victim] — 14 days ago — Message 18/23
Ok thanks
[REvil] — 14 days ago — Message 19/23
Waiting for 10 confirmations by Monero system, it takes ~30 min
[Victim] — 14 days ago — Message 20/23
We just paid
[Victim] — 14 days ago — Message 21/23
Ok, now I have access to decryptor. But when I log on to the machine it is locked and there is a screen to enter password, what is it?
[REvil] — 14 days ago — Message 22/23
password- [redacted]
[Victim] — 14 days ago — Message 23/23
it works thanks
// Analysis

Analyst Observations

  • REvil (also known as Sodinokibi) was responsible for high-profile attacks including Kaseya and JBS. The group was disrupted by law enforcement in late 2021 and early 2022.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →