Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

Avos
As you are an enterprise client of ours, we will provide you with customer support throughout the process. You may use this chat to get in contact with us.
Victim Fri, 03 Sep 2021 00:30:38 GMT
hello! you encrypted our files. I do not have any image files that are encrypted how can I upload a different file type? can you also tell me what files you take? can I see some samples and a list?
Avos Fri, 03 Sep 2021 00:31:11 GMT
I'll ask all that to the affiliate in question.
Avos Fri, 03 Sep 2021 00:32:38 GMT
Are we still connected?
Victim Fri, 03 Sep 2021 00:33:06 GMT
can you increase our clock? as long as we are discussing. The clock will run out on the weekend and even if we agree, we cannot do anything on weekend because all bank are closed. this is a long weekend labor day in both usa and canada so no banks until tuesday next week. appreciate you working with us to reach agreement.
Victim Fri, 03 Sep 2021 00:33:21 GMT
the site seems to disconnect me
Avos Fri, 03 Sep 2021 00:34:25 GMT
Disconnect you how?
Yeah, I'll set your deadline on Friday next week.
Victim Fri, 03 Sep 2021 00:34:51 GMT
I tried to enter another message and it did not work I had to reload the whole page
Avos Fri, 03 Sep 2021 00:36:06 GMT
Just give it a couple seconds, the website can be slow at times
Avos Fri, 03 Sep 2021 00:37:02 GMT
I can't reach the affiliate responsible for the attack at the moment. I did tell him to provide you with a sample or list of the files exfiltrated. They'll reply here when they're back.
Victim Fri, 03 Sep 2021 00:37:52 GMT
ok friend I will come back tomorrow very late here too
Victim Fri, 03 Sep 2021 00:38:15 GMT
please update the time because no way we can hit the deadline thank you
Avos Fri, 03 Sep 2021 00:38:15 GMT
Sure, good night.
Avos Fri, 03 Sep 2021 00:38:39 GMT
Yeah don't worry about that, your new deadline's set at Friday next week
Victim Fri, 03 Sep 2021 00:39:08 GMT
appreciated. I will remain connected but may not reply.
Avos Fri, 03 Sep 2021 12:45:37 GMT
I can't contact the affiliate in question. They seem to be unavailable at the time. I won't be able to provide you information on the data taken.

I, however, can provide you the decryption keys if you do pay for it.
Victim Fri, 03 Sep 2021 15:16:40 GMT
Hi I tried to upload an image and I am not seeing success in decryption.
Victim Fri, 03 Sep 2021 15:17:26 GMT
I cannot find image and less than 1mb to test decrypt. what to do?
Avos Fri, 03 Sep 2021 15:17:40 GMT
Are the extensions appended to the encrypted files ".avos2"?
Victim Fri, 03 Sep 2021 15:18:03 GMT
yes
Victim Fri, 03 Sep 2021 15:18:14 GMT
actually the file is only 111kb
Victim Fri, 03 Sep 2021 15:18:39 GMT
is there email I can send it to?
Avos Fri, 03 Sep 2021 15:18:49 GMT
Avos2 came out recently and we can't provide test decryptions on our website for it at the moment.
Victim Fri, 03 Sep 2021 15:19:32 GMT
ok so what do we do here? you cannot contact affiliate, you cannot decrypt the files. What are we doing?
Avos Fri, 03 Sep 2021 15:19:37 GMT
You can create an archive with couple files and upload them to https://share.riseup.net.
Victim Fri, 03 Sep 2021 15:20:47 GMT
ok please wait
Avos Fri, 03 Sep 2021 15:20:52 GMT
Then I can manually decrypt the files for you.
We can decrypt .avos2, however the website can't at the moment.
Avos Fri, 03 Sep 2021 15:21:57 GMT
This is because both the encryption/decryption are first built and tested in Windows, THEN this encryption algorithm is ported to our web services.
Victim Fri, 03 Sep 2021 15:23:20 GMT
https://share.riseup.net./[redacted]
Victim Fri, 03 Sep 2021 15:23:38 GMT
can you confirm it works?
Avos Fri, 03 Sep 2021 15:24:05 GMT
You are supposed to copy the URL in your browser instead of copying the link from the download button.
Avos Fri, 03 Sep 2021 15:37:01 GMT
Hello? The link doesn't work
Victim Sat, 04 Sep 2021 00:36:24 GMT
ok
Victim Sat, 04 Sep 2021 00:36:39 GMT
did you find the affiliate?
Victim Sat, 04 Sep 2021 00:37:20 GMT
https://share.riseup.net./#[redacted]
Avos Sat, 04 Sep 2021 09:53:46 GMT
Your link doesn't work, again.
Avos Sat, 04 Sep 2021 09:54:08 GMT
Please test and verify that it works BEFORE sending it to me.
Avos Sat, 04 Sep 2021 09:54:28 GMT
https://anonfiles.com/
Victim Sat, 04 Sep 2021 18:01:11 GMT
https://gofile.io/d/[redacted]
Avos Sat, 04 Sep 2021 18:09:27 GMT
Please upload it to one of the websites I've told you to. We can't download from Gofile.
Victim Sun, 05 Sep 2021 16:58:31 GMT
https://anonfiles.com/[redacted]/AVOSLOCKER_-_Sep2021_7z
Avos Mon, 06 Sep 2021 14:15:08 GMT
We've downloaded the data. Please allow us some time to process it
Avos Mon, 06 Sep 2021 14:30:44 GMT
I decrypted the PNG files. https://share.riseup.net/#[redacted]
Avos Tue, 07 Sep 2021 08:44:55 GMT
Hello. We think it's time to finalize your negotiations. Please let us know how do you wish to proceed with payment.
Victim Tue, 07 Sep 2021 13:02:11 GMT
I would like to see what files you took
Avos Tue, 07 Sep 2021 13:25:04 GMT
You can see the files in few days if we have to publish samples on the blog. We will not provide anything else at this stage.
Victim Tue, 07 Sep 2021 13:30:37 GMT
well, if you prefer to simply be aggressive we would never be able to reach a level of trust. You are asking for a lot of money, we need to assess what data you took. Show me some list or indication that I can take to management. goodwill will go a long way.
Victim Tue, 07 Sep 2021 13:31:16 GMT
if you publish we will disconnect and put the money to protect any individuals with credit monitoring. I think working together is preferred.
Avos Tue, 07 Sep 2021 13:32:08 GMT
As staff, we can guarantee that whatever data the affiliate has taken will be erased, and the decryption keys will be delivered.
Avos Tue, 07 Sep 2021 13:33:19 GMT
Your new deadline, that we both agreed on, was set on the 10th, Friday. I'll leave the rest to the affiliate.
Victim Tue, 07 Sep 2021 13:35:06 GMT
thank you Staff. But I am just the messenger. My management and board require to understand the extent of the data that was taken has this may have value that we would want to pay for you if you promise it will be erased. But we would like to get a sense of what data that is, a list would be great.
Avos Tue, 07 Sep 2021 13:36:12 GMT
Those are our terms and we never go against them. You know better than us what data we took. We took it from the servers we encrypted. Anyways, we are away with no access to data storage, so another scenario is not possible. Staff can help to decrypt if you reach an agreement. Data will be erased when we come back.
Avos Tue, 07 Sep 2021 13:38:10 GMT
I can confirm the data in question wasn't downloaded to our storage units but the affiliate's.
Victim Tue, 07 Sep 2021 13:42:12 GMT
It does not give me a good sense of comfort and I need to convey the status to my management. I cannot understand what data was taken nor where it is located. If the affiliate is the only one with the data and he does not want to prove he has data, how can we possibly establish trust when you attacked us and you refuse to work with me to demonstrate your word is trustworthy. instead not only you attack but you also just threaten. It is not a good way to establish our relationship.
Avos Tue, 07 Sep 2021 13:44:54 GMT
For now I'd suggest that perhaps your management should appraise the value of the decryption itself.
Victim Wed, 08 Sep 2021 02:19:31 GMT
I understand. I have met with management and we are in position to offer 50k for the decryption of the files left to decrypt. We also have an issue paying in XMR as no broker I spoke to is willing to pay XMR, the best we can do is bitcoin and would need wallet.
Avos Wed, 08 Sep 2021 10:48:51 GMT
Considering the affiliate wasn't able to provide a sample/list, I think we can settle at 150K in Bitcoin.
Victim Wed, 08 Sep 2021 12:27:44 GMT
Hello Staff you seem like a reasonable team. We would like to come to terms, but we are small paint distributor 150k is more than our available cash. We can increase to 75K in btc by using some credit cards.
Avos Wed, 08 Sep 2021 12:28:42 GMT
What about 100K?
Victim Wed, 08 Sep 2021 12:39:33 GMT
one sec let me check something with accounting
Victim Wed, 08 Sep 2021 12:52:30 GMT
I have a credit line I can increase to 85k unfortunately I cannot go any higher I am tapped on credit card and credit line at 85k
Avos Wed, 08 Sep 2021 12:53:21 GMT
Alright that's fair I suppose. Let us know when you have the money in BTC.
Victim Wed, 08 Sep 2021 12:55:40 GMT
I am working through a broker he said as soon as I transfer the money he can buy and send but he needs to know the address or wallet to send to?
Avos Wed, 08 Sep 2021 13:00:37 GMT
I'll send that to you in a bit
Avos Wed, 08 Sep 2021 13:01:40 GMT
[redacted]
Avos Wed, 08 Sep 2021 13:02:19 GMT
Do tell your guy to make a test transfer of 10$ and get a confirmation from me before he sends the full 85K
Victim Wed, 08 Sep 2021 19:53:25 GMT
OK, I will tell broker that. good idea
Victim Thu, 09 Sep 2021 03:19:13 GMT
Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time
Victim Thu, 09 Sep 2021 03:23:27 GMT
The broker also advise us to confirm all deal terms with you.
After we pay, please confirm you will:

(1.) immediately provide working decryptor software for all our systems,
(2.) provide detailed decryption process instructions and tech support if we have problems,
(3.) provide detailed proof of our downloaded data - detailed file tree(s) of all data,
(4.) provide confirmation of deletion of all our data - non-recoverable secure deletion with proof / shred log,
(5.) confirm you will never publish any of our data, or our company name,
(6.) agree to never attack us again,
(7.) explain how you got into our network, and
(8.) provide a security report so we can prevent future problems

Please confirm everything, all 8 items, thank you.
Avos Thu, 09 Sep 2021 09:28:55 GMT
I can confirm all but the 3rd, as we don't have access to your data. However I can guarantee an erasure of your data.
Victim Thu, 09 Sep 2021 13:22:07 GMT
Hello Staff, OK, thank you
Victim Thu, 09 Sep 2021 13:22:25 GMT
our broker just sent the test $10, please confirm you received it.
Avos Thu, 09 Sep 2021 13:23:41 GMT
Confirmed. You may continue with the transfer
Victim Thu, 09 Sep 2021 13:36:42 GMT
Ihe broker said they sent the rest. Can you please confirm and provide the decryptor as soon as possible, thank you.
Avos Thu, 09 Sep 2021 13:41:32 GMT
As soon as it confirms.
Victim Thu, 09 Sep 2021 13:43:29 GMT
what does that mean?
Avos Thu, 09 Sep 2021 13:44:04 GMT
Bitcoin takes some time to receive basically
Victim Thu, 09 Sep 2021 13:45:07 GMT
ah, ok, its a bitcoin thing. Let me know when its confirmed, thanks
Avos Thu, 09 Sep 2021 14:54:53 GMT
The payment confirmed. Thank you for your business. The affiliate should provide the security report.
Avos Thu, 09 Sep 2021 15:04:38 GMT
Defend your credentials from mimikatz Limit administrator privileges to the smallest group possible. Even if you have thousands of user accounts, you should probably only have 2-5 administrator accounts. Start with two accounts and force users to justify any additional accounts added to the administrator group. The next thing that you should do is upgrade the schema and functional level of your forest and domain to at least 2012 R2. This domain functional level adds a fairly new group called “Protected Users”. Along with other protections, the members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. These changes provide powerful protections that make Mimikatz almost worthless. Verify KB2871997 has been installed to apply additional required security. After you install this security update, the default setting for non-protected users on Windows 7 and Windows 8 is to not force clear leaked logon session credentials.
Avos Thu, 09 Sep 2021 15:05:24 GMT
To override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it to a recommended value of 30 seconds. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Stop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of the default value of “1” and passwords are no longer available to Mimikatz . HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz installation and activity. You’ll have to test these changes to see what breaks, but the idea is to implement some fairly basic changes to protect your network. In your specific case the critical vulnerabiliry contained Forti VPN, please update FortiVpn and monitor for updates and Windows updates. Inform your IT stuff to remove the posibility of storing user passwords within the network.
Avos Thu, 09 Sep 2021 15:05:52 GMT
Also we recommend you to use SentinelAV and dattoo backup system. Also Veeam Tapes is good ,but pc with veeam should be in WORKGROUP and user should be different from main domain. Every PC should have AV. Don't let any pc without AV. Also try configure 2FA (at all network pc) when you connect to remote desktop. Use password on AV. Also tip for you: If you want chage Fortigate VPN to other . We dont reccomend you to use Sonic VPN,Pulse Secure, because its under massive hack
Avos Thu, 09 Sep 2021 15:06:17 GMT
And finally, update your Exchange Server, since it was the main entry point.
Avos Thu, 09 Sep 2021 15:06:45 GMT
As for data, we instructed an erasure and it was confirmed all your data is erased. So you are safe. Thank you for your business.
Victim Thu, 09 Sep 2021 15:54:18 GMT
OK, thank you for all of these items and confirming deletion. I gave the decryptor package to our IT and I will reach out if we have any technical issues. Thank you.
Avos Thu, 09 Sep 2021 17:56:32 GMT
It'd be better for your IT to reach out directly if possible if anything's to occur

Auteur/autrice

sdgadmin@tux.ovh