// Ransomware Negotiation Transcript
REvil Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation. The negotiation consisted of 58 messages exchanged.
The initial ransom demand was $300,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
Hello,
We are REvil Group.
We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $300,000. Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company.
You can find more information about REvil group in Google.
Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation, abandonment of clients, drop in limits.
But don't panic! We are in business, not in war.
We can unblock your data and keep everything secret. All we need is a ransom.
In this case, you also get: a security report, a complete tree of compromised data files, permanently deleting downloaded data, support with tips on unlocking and protecting.
Hi,
Our business has been seriously affected by the current Covid Pandemic since early last year. Our country (Singapore) is in lock down mode currently. Everybody is suffering and life is very tough here. Our company is no exception. Our company is small local family company and not a Listed Company. Our Company finance has become very tight right now. We really cannot afford your asking price. We could only fork up to US$20,000.
We have already finalised our recovery plan and with the offline back up data, we are in the process of rebuilding some data and files now. We do not have P&C data with Government, Customers or Vendors. However, we wish to save our business recovery time and cost. Hence, we sincerely come to you and hope to reach a mutual agreement and settle this amicably.
Hope to hear from you soon.
Hello!
We took note of your communication and concluded:
1) If you could cope without our help, you would not contact us.
2) And yet, we are ready to make concessions to you, and throw the price down to $75,000.
We await your decision.
Hi
Appreciate your reply.
We wish to pay $75,000 and settle amicably. However, it is still very tough for us. We are willing to double our initial offer to $40,000.
We have only one condition (just to safeguard our side here), that is we pay 50% first and in return, you give us the decryption tool for our files in two (2) hosts :
1) Host name 'SAP-VEEAM' (file extension .[redacted]), and
2) Host name 'apps-fs' (file extension .[redacted], .[redacted], [redacted])
Once we successfully decrypt the above-mentioned files, we shall immediately settle the balance 50% without delay in return for all the balance decryption.
(Please be reassured that once we achieve agreement to pay, we shall honor our word)
For payment to you in XMR (currently trad around US$ 287 now), our local Crypto platform do not support this transfer network. Can we pay you in Bitcoin/Ethereum instead?
Hope to see your favorable reply soon.
Let my boss think, next couple of hours.
In any case, we are not ready for a down payment of 50%. So we don't work.
You can send us some not very important files so that we can confirm the functionality of our build. To do this, skip the file and note this extension.
I'll tell you in advance if the boss does not agrees to 40.000, try to offer a little more.
i talked with my boss so the last price is 50.000$ It is the minimal price we can offer to you.
you can pay in btc
Hi,
Ultimately, how do we be sure that after we pay 100% in advance you would give us 100% decryption?
we may not get anything at all after we make payment.
Therefore, please reconsider our suggestion that we pay you 50% and you decrypt our files as mentioned earlier on.
We assured you that once we reach an agreement with you, we will definitely honor our payment.
We have a long reputation, you can read reviews about us.
In addition, you ask to decrypt the server with backups.
We have already done everything possible for our cooperation in the form of a proposed discount.
You will receive a utility that will run on all extensions at once on your network.
Hi,
Can you provide the links for the review about you?
How many Bitcoin do we have to pay? Bitcoin price now is $38,650. Can you provide Bitcoin Transfer address/details?
1.36 btc
Can you provide the links for the review about you?
Use google "REvil"
Hi,
Can you decrypt below 3 files to show you have the tools/keys? Thanks.
wait
file
APPS-SAP Backup.vbm.[redacted]
Choose another file for test decryption
Regional - Employee Master Data (Latest).xls
Do you really take us for fools?
send another test file
The Employee file is critical actually. Pls decrypt for us.
no
The Employee file is NOT critical actually.
send another file
try this please
file
this is the 3rd file please
file
Can I have last 2 more files to show my boss? Please.
Only 3 file test
If you need more , pay
Now the BTC is $38,820 x 1.287 = $50,000,
Can we agree with 1.287 BTC coins?
1.295
we pay you 1.295 BTC coins, you send us the decryption tools/keys for all files. Do we have a deal?
yes
We need to remit money to our Cryto Platform to buy BTC, it may be late tomorrow to transfer the coins to you. Please bear with us.
can you also send me the BTC transfer details?
You can find btc ID on main page
I only saw XMR address?
click "Bitcoin + 10%"
in the Recipient Address, I put this correct?
[redacted]
What should I put in Recipient Full Name?
Please confirm
[redacted]
Yes, this wallet.
3. Wait for 3 confirmations by blockchain
What does the above means?
This is a confirmation of the transaction in the blockchain network. The usual procedure for transferring cryptocurrencies.
Ok
what should I put the full name for the recipient?
nothing. Wallet Only
Ok
Hi, we finally gathered enough BTC 1.295. But it is coming from 2 sources due to time constraint.
We shall transfer BTC 0.42546345 from our local Crypto Platform first.
Once you receive it, please let us know before we transfer the balance BTC to you from another Crypto Platform
Is that okay with you?
Please let us know quickly
We want to transfer now but need you to confirm okay first.
Hi,
We managed to transfer BTC 1.295 to your below address. Pls check and confirm.
[redacted]
Please see attached jpg image for the successful transfer of BTC 1.295.
waiting till 3 conformations,after that you can download decryption program
Where do we find these 3 confirmations?
We have done email confirmation and phone confirm for our BTC transfer just now.
is it related to the above 3 confirmations?
wait please
To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.
CMD commands:
UniversalDecryptor.exe -full
UniversalDecryptor.exe -path "C:\folder"
UniversalDecryptor.exe -file "C:\folder\file.txt.random_ext"
* decryptor with -full option will decrypt all with default params.
If you use it as gui application, mI recommend you choose "create backups" option. If you use decryptor without this option, you should not interrupt decryption process, otherwise some files will be irreversibly damaged.
// Analysis
Analyst Observations
- REvil (also known as Sodinokibi) was responsible for high-profile attacks including Kaseya and JBS. The group was disrupted by law enforcement in late 2021 and early 2022.