// Ransomware Negotiation Transcript
REvil Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a REvil ransomware negotiation with a redacted victim organisation. The negotiation consisted of 42 messages exchanged.
The initial demand is not clearly stated in the transcript. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
hi
Hi, are you able to help us understand what happened?
Hello , you network encrypted and data was stolen
ok, we understand. Will you please tell us how you got into our network?
We will tell only after payment
Hi, you said our data was stolen. What do you mean? How much was taken? Thank you.
near 140Gb of data
You can check in your logs , we upload data in our cloud and transfer data to our servers .
thanks for the information. Would you please provide a sample of the data? We need to review this and show our management. Thank you
wait for answer
examples
Thanks for the files. Management is reviewing them. Our team needs to understand how the decryption software works. Does the same decryptor work on every machine?
One decoder, you can decode all machines
Thanks! The machines have different encrypted file extensions. How does that work for the decryptor tool? Do you need all of the extensions? Please explain how that works.
we send universal decryptor and all instruction
You do not need extensions from us?
no , you will get universal decryptor for all extension
Thanks for the information. We are working with you to try to understand the process. We have a lot to review given this situation. It is now the weekend. Would you please add more time to the clock? Thank you for your help.
of course
update
Hi, our team has questions about the trial decryption. Does the file we upload need a certain extension? Can it come from any machine? thanks
Hello you can send test file to this chat
Thank you. We will locate a few files to test. Also, the current price is much too high for us to pay. As you can see in the files you took, we have many financial problems including a recent bankruptcy, and we do not have insurance. Please help us with a lower price.
My boss can offer 20% discount if your pay fast
Thank you for the discount. We want to work with you but this is still much too expensive. Will your boss please give us a larger discount since we have all of those financial problems? Thanks
We know your financial problems, but we also know how much you earn.
20% is all we have to offer
Ok, would you please give us more time on the clock so we can try to reach an agreement with you. This is a difficult situation for our team and we are in good faith trying to reach a resolution. Thank you
2 days added
Hi, thanks for the extra time. Would you please decrypt this png file. Thanks
file
Thanks for the decryption test. Please understand we are not in the financial position to pay this high price. Will you please ask your boss again what he can do to help us?
20% discount if you pay fast
so - time ending . What we should do?
The price with only a 20% discount is still $2million USD. This is much too high for us to afford. We do not have insurance. Are you able to give us a higher discount? Thanks!
Make an interesting offer and my boss will consider it.
Hi, we talked to our management and they asked a couple questions today. Do we get all of our data back before you delete it? Will you tell us exactly when and how you got into our network? Please let us know..
Everything can be restored in a few hours. You will also receive a complete list of files.
Yes, we can help you secure your network
Hi. Our management is still evaluating the situation and the costs. If we can come to a reasonable agreement, would it be possible to pay in bitcoin? Our understanding is that XMR is more difficult for us to get. We have to keep our costs down.
Hi. Our management is still evaluating the situation and the costs. If we can come to a reasonable agreement, would it be possible to pay in bitcoin? Our understanding is that XMR is more difficult for us to get. We have to keep our costs down.
Of course
hi, Tomorrow we upload your data to auction .and after sale start spam attack to your partner with your data
// Analysis
Analyst Observations
- REvil (also known as Sodinokibi) was responsible for high-profile attacks including Kaseya and JBS. The group was disrupted by law enforcement in late 2021 and early 2022.