Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

Victim 1 month ago
Hello guys,
I am the person in charge to negotiate with you on behalf of my client.
The amount of XMR requested to my client to get the decryption tool, the
files back available and not published in the dark web (I have seen
some exfiltrated data are published on your blog) is huge and my client
cannot afford to fully pay your claims. My client is trying to cope with
this difficult situation, since it has been heavily struck by the
current economic crisis due to the coronavirus pandemic, with a dramatic
fall of sales in the last months. My client’s net revenues amount to
EUR 500.000,00 in the last financial statement (2.5 billion as gross
revenues, which is a not relevant data if you guys are acquainted with
economics). The financial situation of my client has been catastrophic
since 2010, with a substantial decrease y/y in net revenues and gross
operating profits. The cyberattack you have carried out on my client’s
systems has blocked the company operation and all its internal
operations have been shut down including deliveries, and as a
consequence my client is not able to fulfil the market with its copper
products and get revenues. My client has already had to make budget cuts
and fire many of its employees or put them on unemployed insurance,
with devastating effects on families and children amid the economic
crisis due to Covid19. Therefore, it is impossible for my client to pay
you 7.5 million USD. According to my client’s financial condition, I
think he might be considering paying a certain amount in order to
protect his business and to obtain the decrypting tool for all the files
very quickly. However, such amount would be lower than the one you have
requested, due to the heavy financial situation. In my personal
opinion, my client has the financial availability to pay you 500.000 USD
very quickly. A greater amount would be very difficult (almost
impossible in my very personal opinion) to be paid because of the
current financial situation. Let me know on this point.
REvil 1 month ago
Hello. We have deals with many companies every day, our pricing policy
takes into account the Covid19 crisis. Do not take cover by this, the
price is affordable for the company. 500k from a company like your is
not seriously, of course we can give you a discount that will depend on
the quickness of your payment, but price can't be too low as you ask
for. We hid the post from our blog for the talks. if we will have a deal
this information will not be ever published.
Victim 1 month ago
What kind of discount are you guys thinking about? My client is really
in a dire economic situation as previously said and I will try my best
to convince him to add few money on the negotiation table. However
adding money to his last offer would entail more budget cuts and firing
more employees, leaving families without livelihood in this dramatic
financial crisis.
REvil 1 month ago
You have no chances with $500,000 or this level of amounts of money, even don't try bluf by this.
If you pay shortly, we accept $6,75M.
If no, we start publication data part by part to speed up you.
Victim 1 month ago
we are not bluffing and you do not know the financial situation of my
client. However I will get back to you as soon as my client gives me a
feedback on your so called "discount"
REvil 1 month ago
https://www.sendspace.com/file/[redacted]
REvil 1 month ago
[redacted]_Consolidated Financial Report 310320.pdf
REvil 1 month ago
if you cant find your insurance manual. Here is it.
Victim 1 month ago
Oh well, so you guys are familiar with economics. Are you sure you are
able to read the numbers? My Client has been losing money since 2010. In
the consolidated financial report you exfiltrated you can see that in
the first three months of 2020 only the financial loss amounts to EUR
[redacted] M. And take a look at the net financial position as at 31 March
2020 which is negative by EUR [redacted] M. Moreover, look at bond trading
level (30% yield) that my client needs to repay:
[redacted]. The
financial situation of my client is negative. I think you picked the
wrong victim and the financial analysis you have performed prior to
undertaking the hacking operations is absolutely wrong. Look at the
chart herein attached and maybe you will be able to understand that
economics is not hacking and my client is not Grubman nor Travelex nor
[redacted] (the latter, just to remain in the [redacted] boundaries and a victim
you may know).
With regard to the insurance manual you guys have exfiltrated please
note that the insurance company Chubb does not cover the expenses
related to a ransom payment but only the expenses my client is is facing
for business interruption and recovery.
This being said, my client needs to resume normal operations as soon as
possible minimising financial losses due to inactivity caused by your
actions. So we need to find a trade-off between your requests and my
client’s capability to pay. Too much money requested and really my
client does not have that financial capability. My client understands
your position and aspirations but can’t reach that amount. Overnight I
convinced my client to add more money on the table. His offer now
amounts to 750.000,00 but this will entail more sacrifices in terms of
employment and debt repayment. People will be fired amid this financial
crisis but I guess you guys don’t care about people left without
livelihood.
If you guys don’t accept it, my client will set up the new
infrastructure without data. It won’t be easy but my client is pretty
sure to go back on the business within a few weeks. I mean my client is
making the argument that the cost to restart the new infrastructure
without data will not be higher than 700-800 k USD. That amount
represents the break-event point for my client. If my client pays a
dollar more, it won’t be convenient for him. So accept these 750 k USD
or set a new affordable price or get nothing. If you accept or if you
set a price which my client is able to meet, he will start the payment
process as soon as possible, after finding a trusted exchange.
Please stop the countdown as usual during the negotiations with your hacking group.
REvil 1 month ago
Good morning. Sorry, but your offer still isnt interesting for us.
Companies with revenue like 10kk usually pays us this value. Comeback
later when you will be able to pay more. We can wait but your client
doesnt have enough time.
REvil 1 month ago
If you think its easy to restore for 800k - go and do it. we dont care.
first dump will be full of your client net passwords, [redacted] email
dump, phone and password(that he use in many other services than your
network). next will be with clients info, NDAs, payment infromation and
technical specification of your production
Victim 1 month ago
Do you mean if we do not strike a deal in 1 day 8 hours and 41 minutes you will double the price requested?
REvil 1 month ago
sure not
REvil 1 month ago
i added you 7 days.
Victim 1 month ago
Ok guys. What I am trying to let you understand is that my client is
not in a good financial position and the financial statement you have
had to chance to read clearly testifies what I am saying. The production
plants are on hold and people are put on unemployed insurances and are
being fired. I know that you guys don’t care because your goal is your
personal profit. You carried out a perfect and clean job on my client’s
network I have been told and you clearly deserve to be rewarded for your
work. The issue is not if my client is willing to pay but how much
money my client can afford to pay without worsening his financial
condition and safeguarding jobs and families. This is the main issue.
You guys are considering the data exfiltrated as valuable data that may
cause a catastrophic reputational damage to my client if disclosed to
the general public. Well, this is not the case. My client is not
interested if you guys disclose [redacted] email dump or NDAs or whatever
document you have in your hands. The value of the data you guys have
stolen is irrelevant to my client. My client resells commodities ([redacted]) with a B2B model, there’s no industrial secret to be
protected. And again, please believe me that I’m not bluffing on this
point. You have read the documents you have stolen and you guys are
experienced in the field: I bet you haven’t found any information worth
USD 6.75 M. Any. So again, my client is interested in a quick restore of
its network. Analysts have estimated that to restore the systems from
scratch it will cost around EUR 800 k. Than there is the business
interruption which is also covered by the insurance policy you have had
the chance to read. If my client gets the decrypter, the network will be
restored faster and the business will restart in a matter of days.
Otherwise it will take longer but the costs incurred by my client will
be integrally covered by the cybersecurity insurance policy.
This being said, we are at a negotiation table. Your demands (USD 6.75
M) do not match our last offer (USD 750k ). We are way too far to reach
an agreement. You guys say that our last offer do not you’re your
expectations and to come back with a higher offer. But you guys have not
lowered your request and showed any availability to reach an agreement
and a win-win solution for both the parties involved. I mean, this is
not a negotiation. Are you guys willing to get a reward for your team?
What if I convince my client to put USD 1 M on the table? My client will
never pay you the amount you have requested, but with some sacrifice he
might be able to reach the USD 1 M threshold.
REvil 1 month ago
You write a lot of text but all of this doesnt matter. Why ? [redacted] is ONE
of the WORLD's LARGEST manufacturers of [redacted]. Your
client spent some millions on recovery software and hardware for it, but
admins using passwords like "[weak password redacted]". But sure we cant take your 1M
offer because this is ridiculous. We are thinking that you are bluffing
and trying to make price so lower, but I understand it is just your job.
You working fine, price updated to $5M
Victim 1 month ago
hey, guys, thank for lowering the price.
Victim 1 month ago
I mean that being one of the largest corporations does not imply to be the richest. This is the point
Victim 1 month ago
If my client had the financial resources you think the IT department would be stronger and [redacted] systems would be more secure
Victim 1 month ago
[redacted] IT department has proved to be very very little in terms of
capacity and you guys have been good to leverage the vulnerabilities in
[redacted] network. But this is not the point
Victim 1 month ago
You are sure that [redacted] has the financial capability to meet your
demands. If you look at the reports as well as at the newspaper news you
can easily see that [redacted] is in deep trouble.
Victim 1 month ago
So I am not bluffing because I have been asked to keep the price as
lower as possible. I am an experienced negotiator, I undertook many
negotiations with REvil and I know how to talk with you guys. I know the
threshold I can or I cannot exceed. This is not the case. My client has
a very limited financial ability and I am not fooling you around
Victim 1 month ago
So please do reconsider your demands and go for a win-win solution as REvil usually pursue.
REvil 1 month ago
If you have undertook many negotiations with REvil you have to know that much smaller companies pay more than your offer.
Victim 1 month ago
Well, it hasn't been my case fortunately! Yes, I confirm I have
undertaken many negotiations with REvil affiliates and I have not bumped
into a negotiation with a payment of more than 1 M. Two months ago a
REvil affilate attacked a very famous italian company. The intial
request was 7.5 M USD, with revenues like [redacted]. The deal was closed at
USD 750 K. You can ask REvil affiliates if I am not speaking the truth.
Victim 1 month ago
Moreover [redacted] does not give a shit about the data you have stolen, so I
have been told. So please reconsider you request and maybe we can find
an agreement.
REvil 1 month ago
I think there were reasons for that, it is not for nothing that they
reduce the price to 750k from 7.5m, you are too mistaken in thinking
that the situation is the same here. I could cite cases when companies
with ten times less revenue paid 3M, or paids 100k only for one personal
computer, but it is not create rule, it is just an exception,
exceptions only confirm the rule.
Victim 1 month ago
I can see your point and I get it. I think I am not mistaken and the
situation is similar to the one I mentioned. I mean, the price paid
depends on many factors: 1) financial availability 2) ability to restore
the network without the decrypter 3) time necessary 4) consistency of
backups 5) profit loss for buisness interruption and so on. What I am
saying that this is the sixth time I bumped into REvil and my client has
never paid more than 1 M USD. But maybe they are exceptions that
confirm the rule.
REvil 1 month ago
Other Data Recovery Companies has never clients with paid more $5,000,
but it is not means we will agree for $5,000 in case like this.
Victim 1 month ago
The situation is the following: 1) [redacted] has a very limited financial
availability. 2) [redacted] is already working on network restoring (costs will
be covered by the insurance policy) 3)the time necessary to restore the
network from scratch will be almost 12 days 4) there are backups
available on LTO tapes 5) the profit loss for business interruption will
be limited and covered by the insurance policy
Victim 1 month ago
I get your point but [redacted] offered USD 1 M clean, not 5 k$.
REvil 1 month ago
In view of this situation, $ 5M is reasonable.
Victim 1 month ago
[redacted] does not have $ 5 M. I can try to convince the client to add more
money, but there no cash flow to pay the amount you have requested.
REvil 1 month ago
Of course. Because $1M too low.
Victim 1 month ago
I know that the amount offered does not meet your expectations. What's a
reasonable amount for you?Take into consideration what I have just told
you in this talk
REvil 1 month ago
Our offer $5M
REvil 1 month ago
Waiting for your...
Victim 1 month ago
Talk to the client and get back to you in a while
REvil 1 month ago
ok
REvil 1 month ago
good morning. do you have new information for us?
Victim 1 month ago
Yes. Talked to the client and they shared that profit margins on
revenue that is generated is tiny, and due to the lack of business
having actual cash to turn into monero is hard to come by. They
understand you ask more money, but they wanted me to let you know that
they are having a hard time coming across more money. Now they have
access to USD 1.27 M in cash, but it won't be available until Monday
since they can't send money with the banks closed.
REvil 1 month ago
We have good news to you, price $2.5M for this deal. We prefer Monero,
but provide you bitcoin payment method to make it easier for you. But
there is a nuance, if you pay in bitcoins, the additional commission is
10%.
After payment we will fulfill all agreements with decryption, will
provide any supports, delete the data from our servers and will provide
you short report on how you were hacked, keep in mind we still have
access to the network and watching for any movements.
REvil 1 month ago
Refresh the page to see changes
REvil 1 month ago
hello. are we waiting for your payment today?
Victim 1 month ago
Hi guys. Sorry for being late but my client took his time over the
weekend to have internal meetings in order to respond to your last
request. Notwithstanding my client has strived to find more budget to
pay your claims, there is no more money available to be put on the
table. The financial condition of my client is terribile and you know it
and the economic situation of Italy has been catastrophic since a
decade with impactson [redacted]. My client can't afford to take away anymore
money from the budget needed to run the company operations and to pay
employees salaries. It has been a difficult decision and my client is
fully aware that this decision could stop the negotiation with you guys
and that consequently he won't get the decrypter. However my client has
reached the maximum cap and the costs he might face without the
decrypter are, according to cybersecurity analysts and loss adjusters,
close to $ 1 M. So this is it. Let me know.
REvil 1 month ago
If I understand correctly, your last offer is $1.27M, if we will agree, how many time do you need to make the payment?
Victim 1 month ago
Yes, correct. We will need about a day since buying Monero takes time, especially when we use a broker in the USA
REvil 1 month ago
Okay guys so medium price between your offer and our waiting is 1.5kk.
price updated for 48h and it is final call. Write a message when you
will start exchange for lock xmr rate.
Victim 1 month ago
Client again took some time to think about to your last offer. Due to
the fact that Monero has high transaction rates (around +10%), my client
is willing to pay you 1.27 M within the next 48 hours. Client is not
able to fully meet your demands as you know and understand. Let me know
if this is ok for you and client starts the payment process.
REvil 1 month ago
ok. price updated.
Victim 1 month ago
Please do confirm that the decrypter is general and works for each and every system you guys have encyrpted
REvil 1 month ago
Yes. general decryptor works for all system that was affected
REvil 1 month ago
how much time do you need to make this payment?
REvil 1 month ago
hello?
Victim 1 month ago
Be patient, we are working on it. Expect the payment very soon, a matter of hours.
Victim 1 month ago
Can you lock the Monero price for us? We are placing our order now.
REvil 1 month ago
Ok. Freezed
Victim 1 month ago
Payment sent.
REvil 1 month ago
Waiting for 10 confirmations by Monero network
REvil 1 month ago
To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.

CMD commands:
dec.exe -full
dec.exe -path "C:\folder"
dec.exe -file "C:\folder\file.txt.random_ext"

* decryptor with -full option will decrypt all with default params.

If you use it as gui application, I recommend you choose "create
backups" option. If you use decryptor without this option, you should
not interrupt decryption process, otherwise some files will be
irreversibly damaged.

How it works with "create backups" option:
1. Decryptor looking for encrypted file
2. creating backup of file
3. decrypting file
4. removing the backup
5. looking for a next file and loop repeating.

You can collect list of extensions, input to the textarea above the chat
and click "Download" to generate General decryptor to decrypt files
with these extensions.
But this way is not necessary, because we provide you the universal
decryptor. It just works little slowest but you don't need collect
anything, just download it and use on any system with admin rights,
DOWNLOAD:
Victim 1 month ago
Hi guys, thanks for reciprocating with decryptor. During our talks, you
told me that in case of ransom payment you would have given my client a
sort report on how my client was hacked. Can you please provide such
short report? My client is very interested about it and I think that
after the successful transaction he deserves to know the entry point and
how you gained privileged access to the network. Thanks for
cooperation!
Victim 1 month ago
hello?
REvil 1 month ago
Hi. We find a login to https://remote.[redacted].com
REvil 1 month ago
After that we made a kerberoasting attack and decrypt admin hash "12qwer34". That's all.
REvil 1 month ago
you need to use any 2fa solution for your citrix server.
Victim 1 month ago
Thank you guys. One last question, did you guys buy the citrix server
credentials on the dark web? Or did you obtain the credentials in
another way? You know, it is important for my client to understand in
order to prevent future attacks from other ransomware gangs.
REvil 1 month ago
yes. we buy it. somebody of your clients employee was infected but not by us.
REvil 1 month ago
that's why i said to you that your client need to use 2fa on citrix server.
Victim 1 month ago
Thanks. Since you guys have been so available to answer my question,
can you please tell me which is the account whose credentials you have
purchased? It is very important for my client to ascertain
responsibilities of the security incident
REvil 1 month ago
sorry. i cant give you that information.
Victim 7 days ago
Hello guys, sorry to bother you. But since the chat is still open I
need one more info from you. It's very important for my client to get
the full file tree and the list of the files you have exfiltrated, as
well as the logs of the delete operations of such files. Can you help
me?
REvil 7 days ago
Hello. We don't store even list of files of companies which paid, and as log file too

Auteur/autrice

sdgadmin@tux.ovh