Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

BlackMatter 07 Sep, 00:44 AM [NY time]
Hello and welcome to BlackMatter. How may I help you?
Victim 10 Sep, 04:46 AM [NY time]
Hello
Victim 10 Sep, 04:46 AM [NY time]
I need help with decrypt my data
BlackMatter 10 Sep, 04:57 AM [NY time]
To decrypt your files you have to purchase the decryption software. It costs $15m for you.
Victim 10 Sep, 05:20 AM [NY time]
This is too hiigh a price. Give me proof that the price is adequate for the data you have.
BlackMatter 10 Sep, 07:13 AM [NY time]
First of all, can you introduce yourself, state the company name and your position in it.
Victim 10 Sep, 07:25 AM [NY time]
I am a spokesperson for the company and I will sell the information to my customer. Because this is not secure communication, I do not want to state the name of the company and I assume that we will delete this chat after the meeting.
Victim 10 Sep, 07:26 AM [NY time]
I am authorized to communicate with you on behalf of the company and to establish conditions that will be acceptable to both parties.
Victim 10 Sep, 07:29 AM [NY time]
First of all, I would be happy if we set a price that is negotiable. Next, it would be good to submit information about the data you have in your possession so that we can consider paying the ransom and start negotiating the price.
BlackMatter 10 Sep, 07:29 AM [NY time]
We have the doubts you are from company we need the proofs that you are from there.
BlackMatter 10 Sep, 07:30 AM [NY time]
So how can you prove it?
Victim 10 Sep, 07:33 AM [NY time]
I can't prove it. We're gonna have to trust each other.
Victim 10 Sep, 07:36 AM [NY time]
If you want to pay, then this is the only way to come to an agreement. So that emotions are not used in the negotiations, I am here as an intermediary. My client doesn't want to negotiate, even though it seems to be the only option. Although they have backups, but the restoration will take some time, so I would like to negotiate an adequate price.
BlackMatter 10 Sep, 07:35 AM [NY time]
You cant prove it because you don't know it. This is just confirmed our doubts have a nice day.
Victim 10 Sep, 07:37 AM [NY time]
We are a protected society and I cannot afford to openly write who it is. I only know the owner of the company who owns several companies.
Victim 10 Sep, 07:43 AM [NY time]
If you do not want to cooperate, then I will pass this information on to the customer and the media to make it obvious that BlackMatter are a group of crooks.
BlackMatter 10 Sep, 07:43 AM [NY time]
This is ridiculous, you can prove it in hundreds different ways, without compromising so called “privacy”.
Victim 10 Sep, 07:46 AM [NY time]
Give an example.I only know the owners of the companies.
BlackMatter 10 Sep, 07:46 AM [NY time]
To start a cooperation, we have to know with whom we a dealing and you failing it. So far you looks as some boring guy who got a sample from virus total and obtained the chat link.
Victim 10 Sep, 07:48 AM [NY time]
They found this file in their system and that's why I came to your page C:\[redacted].README.txt
BlackMatter 10 Sep, 07:49 AM [NY time]
You can upload the company’s letterhead, you can tell to us domain controllers name, name of backing up software it is just a few)
Victim 10 Sep, 07:50 AM [NY time]
Actually I don't have much time to deal with authorization. I want to help the customer and negotiate the terms of cooperation. Just because anyone can watch this chat, I don't want to share any information and prove that I am who I am. Do you want to negotiate the price?
BlackMatter 10 Sep, 07:52 AM [NY time]
So far it looks as your main objective is to f*ck with us)
Victim 10 Sep, 07:52 AM [NY time]
The environment is isolated and analyzed by the forensics team and the police. I can't interfere with the investigation, and all the documentation has been encrypted, as the customer told me.
Victim 10 Sep, 07:53 AM [NY time]
I certainly don't feel like fucking with you. I want to talk and get this thing resolved as soon as possible.
BlackMatter 10 Sep, 07:53 AM [NY time]
Here we go again, to negotiate with whom with some random Joe?
BlackMatter 10 Sep, 07:54 AM [NY time]
Ok, this is simple prove you are from company or just go grab another sample from VT.
Victim 10 Sep, 07:55 AM [NY time]
Yes, let's talk about price and what you get for our data. Then we can discuss the price of the decryptor.
Victim 10 Sep, 07:56 AM [NY time]
What is VT?
BlackMatter 10 Sep, 07:56 AM [NY time]
Oh [redacted] you so clever) virustotal.com
Victim 10 Sep, 07:59 AM [NY time]
Oh, I see. So how do we do it?
BlackMatter 10 Sep, 07:59 AM [NY time]
You have the options
1. Internal windows domain name.
2. Domain administrators name.
3. Backup software name.
This information aren’t locked by encrypting software or police)
Victim 10 Sep, 08:04 AM [NY time]
1) [redacted]
Victim 10 Sep, 08:04 AM [NY time]
2) administrator
BlackMatter 10 Sep, 08:06 AM [NY time]
2) administrator
this is too generic give us another one
Victim 10 Sep, 08:08 AM [NY time]
[redacted]
BlackMatter 10 Sep, 08:12 AM [NY time]
Ok, John thank you. So you see the price, you need to pay it.
Victim 10 Sep, 08:16 AM [NY time]
Are we really not? This bill was sent to me by their owner. I'm gonna look like a fool if we don't agree on a price.
BlackMatter 10 Sep, 08:19 AM [NY time]
Your English is too sophisticated for me, can you try again)
Victim 10 Sep, 08:22 AM [NY time]
Are we really not? This account was sent by their owner. If we don't make a deal, I'm gonna look like an idiot.
Victim 10 Sep, 08:23 AM [NY time]
I don't speak English, so I translate automatically.
BlackMatter 10 Sep, 08:31 AM [NY time]
You see the demanded price. If you’ll pay it you will get.
1. The decrypting tools.
2. Your data back (we took 1.5TB, PII, NDA, emails, MSSQL databases)
3. A file tree.
4. Explanation how the company was breached.
Victim 10 Sep, 08:40 AM [NY time]
The price is not adequate. Give me a price I can pass on to the owner of the company.
BlackMatter 10 Sep, 08:46 AM [NY time]
We have no idea what a price is adequate for you. We can make 10% discount for fast payment and remove 25% BTC transaction fee. Make the offer. But to make it simple we will not consider the offer less than 7-figure number.
Victim 10 Sep, 08:50 AM [NY time]
Our idea was $500,000, but we can negotiate a price of $1,000,000. Give us proof that there is information sensitive enough to be of such value.
BlackMatter 10 Sep, 08:53 AM [NY time]
Do you want me upload a sample with office documents? The emails and sqls are too big but we have them all.)
BlackMatter 10 Sep, 08:55 AM [NY time]
One more detail we know the company doesn't have the backups. Rubrik is gone)
Victim 10 Sep, 09:03 AM [NY time]
We have offline backups. Ok show me the office document and a screenshot of the database.
Victim 10 Sep, 09:04 AM [NY time]
Do you also have the passwords of the domain users? Give me a screenshot.
BlackMatter 10 Sep, 09:05 AM [NY time]
You have tapes for [redacted] but they are useless without software.
BlackMatter 10 Sep, 09:09 AM [NY time]
This is the screenshot for DA hashes and passwords.
https://ibb.co/[redacted]
Victim 10 Sep, 09:13 AM [NY time]
We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible. What databases do you have?
BlackMatter 10 Sep, 09:14 AM [NY time]
Yo can get the sample by following link.
https://privatlab.com/m/v/[redacted]
We will not make DB screenshots too much work.
BlackMatter 10 Sep, 09:17 AM [NY time]
We have dbs from
[redacted]SQL
SQL2014Test
[redacted]SQL1
[redacted]-SQL
[redacted]-SQL
Victim 10 Sep, 09:22 AM [NY time]
Data in databases should be encrypted. Just because you have database servers doesn't mean anything.
BlackMatter 10 Sep, 09:25 AM [NY time]
Should or is? )
Victim 10 Sep, 09:29 AM [NY time]
According to IT, it should be. Let's make a deal like this. If the data in the database is encrypted, we'll pay you $100,000 to decrypt it for us. If the data in the databases is not encrypted, then we'll pay you $700,000. $700,000 is the price we have to invest in recovery, and if the recovery with the decryptor is faster, then we'll save money on service outages.
BlackMatter 10 Sep, 09:42 AM [NY time]
To complicated, we said what will provide if we’ll agree on price. $700k is unacceptable.
Victim 10 Sep, 09:47 AM [NY time]
Okay, then the price is $1,000,000 if the data is readable.
BlackMatter 10 Sep, 09:54 AM [NY time]
Without any conditions, you are paying for decrypting tools and fast recovery, the data is collateral. You will not recover so easily without decryptor. We can do negotiations pretty long; time is on our side. If you are want to finish this fast make the acceptable offer.
Victim 10 Sep, 09:59 AM [NY time]
The data you hold is worse for us than having to recover it. The data you hold is worth no more than $1,000,000, which is why we are offering this price. We can restore the data from offline backups (we have tested this). A higher price than $1,000,000 is not acceptable to us. If you don't accept this price, then I need to check with the owner of the company what we will do next and if we can offer more money.
BlackMatter 10 Sep, 10:04 AM [NY time]
How you evaluate data’s price can I see a formula?
BlackMatter 10 Sep, 10:12 AM [NY time]
You can do incremental and we can do decremental steps, make the offer that we can turn down. 1 is to far away from 15.
Victim 10 Sep, 10:16 AM [NY time]
We evaluate it subjectively. We have already written to people about PII, so the reputational impact has already occurred. We're gonna put new passwords in Active Directory. Office documents aren't that valuable to us. The only thing of value is the databases.
Victim 10 Sep, 10:18 AM [NY time]
15 is meaningless. I thought 15 was just a number, but not the actual ransom.
BlackMatter 10 Sep, 10:18 AM [NY time]
We just checked the random db, data is fine and not encrypted. Have a look.
https://ibb.co/[redacted]
Victim 10 Sep, 10:20 AM [NY time]
I understand, but for us only the know-how and customer information in the databases is worth anything.
Victim 10 Sep, 10:21 AM [NY time]
I can see it now. Then name a price that makes sense for both sides.
BlackMatter 10 Sep, 10:22 AM [NY time]
Nothing sn meaningless, we did a good pentest for your company it has to be rewarded. $1kk is not enough. Do some consultations and come with a better offer.
BlackMatter 10 Sep, 10:24 AM [NY time]
One of your competitors was hit the same yesterday if it helps to your feelings.
BlackMatter 10 Sep, 10:25 AM [NY time]
If you will offer the good price today we can make a decent discount for you.
Victim 10 Sep, 10:57 AM [NY time]
I need to check with the management and the owners. What competitor do you think?
BlackMatter 10 Sep, 11:01 AM [NY time]
By the way they offer much more then you.
Victim 10 Sep, 11:17 AM [NY time]
I guess they don't have backup.
BlackMatter 10 Sep, 11:19 AM [NY time]
You either, you tried to do it on Sunday but you know what has happened.
Victim 10 Sep, 11:23 AM [NY time]
We are restoring. I'm gonna go talk to the management.
BlackMatter 10 Sep, 11:24 AM [NY time]
https://ibb.co/[redacted]

Auteur/autrice

sdgadmin@tux.ovh