// Ransomware Negotiation Transcript
REvil Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation. The negotiation consisted of 39 messages exchanged.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
We take you seriously and we want to work something out but $50k is too
much for us to get our computers back. COVID ruined our finances and we
have entire lots of cars from last year sitting outside that no one is
interested in because no one is driving anymore. Can we work out a
reduction in the price?
Hello , my boss can offer 20% discount
Thanks for working with us. I'm not sure if that's going to be enough
of a discount but I will talk with my boss and see what we can do. We
see different names for the notes on each computer with different keys
in them. Does the price include unlocking all of our computers?
for all network
Sorry we haven't reached out in a little while but we have been trying
to figure all this out while keeping the business running. We want to
make sure you are able to decrypt more than just one system. Can you
decrypt these files to show you can?
File 1
File 2
file
file
Pulling these down now. I talked to my boss and he said we can't pay in Monero do you accept Bitcoin?
Of course , btc enabled
Ok that's good to know. My boss wanted to see if you would be willing
to let us pay $10,000 for the decryption. We know it's not what you are
asking for but this is short notice and we are trying to do what we can
to find available cash.
not interested
OK, my boss had someone willing to loan him some money if he needed to.
Will you take $20,000? We could buy the Bitcoin and get you the money
in 24 hours.
25k and okay not lower
price update
OK, let me talk to my boss and get back to you.
Just so I'm clear that payment would get us a decryptor for all our encrypted computers?
of course
OK we are working on getting the money together right now. Did you take
any files from our computers? And how fast after we pay could we get
the decryption software?
few minutes
OK thats good to know but my boss still wanted to know about whether or not you guys took our data before we sent the money.
We took your data
What did you take?
It will take more than a month to analyze the data.
If all you need is a data, leave this chat.
We still want to move forward with payment for the decryptor we are
just trying to understand what data was taken because it could impact
our customers and we care about them. If you can give us a list of files
it would help us a lot. Can you confirm that the bitcoin wallet is
still [redacted]? Will you help us if something
goes wrong with the decryption?
We want to make payment today if you can confirm the wallet for us. We don't want to send it to the wrong place.
[redacted] yes it is the right adress
thanks for verifying.
we are getting ready to make payment. Are you able to provide us a Dir listing of what you exfil'd?
of course
It took us longer yesterday than we thought to get the money together.
We should be able to buy the bitcoin and send you payment today.
ok we wait
OK, it was difficult to get everything done on the weekend since the
banks were closed most of the time but we should be making payment very
soon. I just wanted to confirm that the price is still $25,000. The site
shows 0.77 BTC which is $25,569 and there is a reference to Bitcoin
(+10%). As long as we pay the agreed $25,000 you will decrypt all of our
files on all computers right?
OK, it was difficult to get everything done on the weekend since the
banks were closed most of the time but we should be making payment very
soon. I just wanted to confirm that the price is still $25,000. The site
shows 0.77 BTC which is $25,569 and there is a reference to Bitcoin
(+10%). As long as we pay the agreed $25,000 you will decrypt all of our
files on all computers right?
OK we sent the 0.77 Bitcoin, please confirm as soon as you get it.
confirm
yes for all network
waiting 3 confirmations
// Analysis
Analyst Observations
- REvil (also known as Sodinokibi) was responsible for high-profile attacks including Kaseya and JBS. The group was disrupted by law enforcement in late 2021 and early 2022.