Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

Hive 13 November 2021 13:53
Hello and welcome to Hive.
How may I help you?
Victim 13 November 2021 13:54
Hi, decryption key price?
Victim 13 November 2021 13:58
how many files are stolen? and can you share some file names?
Victim 13 November 2021 13:59
maybe no ones here
Hive 13 November 2021 13:59
Hello
Hive 13 November 2021 14:00
To decrypt your files you have to pay $20,000,000 in Bitcoin.
Victim 13 November 2021 14:01
thats way too much, can you please discount

And please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway
Hive 13 November 2021 14:03
We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway.
Hive 13 November 2021 14:04
If you want a discount I would like to see for how much
Victim 13 November 2021 14:04
let me talk to the management
Victim 13 November 2021 14:05
share some file names?
Hive 13 November 2021 14:05
I'll share with you later when my teammate will be online.
Victim 13 November 2021 14:05
ok
when should I log back in?
Hive 13 November 2021 14:06
I don't know. Maybe today
Victim 13 November 2021 14:06
ok
Victim 13 November 2021 14:07
please ask him/her to share the file names so I can have them when I login, its not easy to use TOR here
Hive 13 November 2021 14:07
Okay, I'll do my best
Victim 13 November 2021 14:08
thanks
Hive 13 November 2021 16:16
I have uploaded the list of exfiltrated files.
Victim 13 November 2021 18:10
where?

I cant see them
Victim 13 November 2021 18:14
is it like 100G?
Hive 13 November 2021 19:07
It's at the left panel titled Uploaded files
Hive 13 November 2021 19:27
I uploaded a list of files not the files themselves
Victim 14 November 2021 04:38
yes got it, thanks
Victim 14 November 2021 04:38
you can delete it now
Victim 14 November 2021 04:41
Can you please share the hash of the ransomware. SO we can just add it to black list and ask the management for money. They are scared that the payload will come back. If you can't I understand but this will make th eprocess easy
Hive 14 November 2021 04:56
We are well-known organization. We honor our agreements. There is no point in the blacklist right now. You need to concentrate on how to collect money.
Hive 14 November 2021 07:19
I have another option for you. You will give me your email address (protonmail is preferred) and I'll send you new credentials to login. Then I'll upload the encryptor to VirusTotal and provide you a link to it. All necessary hashes will be available there.
But to prevent others to login to your customer website you have to get new credentials first.
Victim 14 November 2021 08:58
Here
[redacted]@protonmail.com
Victim 14 November 2021 08:58
just like you wanted ... protonmail
Victim 14 November 2021 08:59
please keep your word, I will login again in a bit or check my email
Victim 14 November 2021 09:38
BTW, the site you guys made is beautiful. Better support than normal companies 🙂
Hive 14 November 2021 09:38
Thank you
Victim 14 November 2021 09:40
did you upload the file?
Victim 14 November 2021 09:40
and why did you change my creds ... are you planing to hack me too ? :(((((
Hive 14 November 2021 09:41
The encryptor didn't uploaded yet, looking for it rn.
Hive 14 November 2021 09:42
What do you mean about creds? From what?
Victim 14 November 2021 09:43
you change the credential to login to this site
Hive 14 November 2021 09:45
It was necessary because whether I upload the encryptor other researchers will be able to login and read your conversation.
Hive 14 November 2021 09:45
It's a potential data leakage so I have prevented it
Victim 14 November 2021 09:46
Thanks
Victim 14 November 2021 09:50
would you share the link here or email?
Hive 14 November 2021 09:50
Here is safe now
Victim 14 November 2021 09:51
ok
Victim 14 November 2021 09:56
why do you prefer protonmail?
Victim 14 November 2021 09:56
is it on tor?
Hive 14 November 2021 09:57
https://www.virustotal.com/gui/file/12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be?nocache=1
Victim 14 November 2021 09:58
Thanks. I dont have virus total account but at least I got the hash. Really appreciat eit
Victim 14 November 2021 10:01
we have mcafee and symantec and nothing prevented this 🙁
Hive 14 November 2021 10:02
Actually I didn't spend too much time to hide it but I will
Hive 14 November 2021 10:02
What a recovery company are you from?
Victim 14 November 2021 10:03
not from company, directly the SOC team
Hive 14 November 2021 10:04
I got it
Victim 14 November 2021 10:04
working with the management to do something
Victim 14 November 2021 10:05
they may hire someone in hope of recovery.
Hive 14 November 2021 10:06
Unfortunately for them there are only two options:
1) start from a scratch
2) purchase the decryption software from us
Victim 14 November 2021 10:07
yes I have provided all the data
Hive 14 November 2021 10:08
Recovery companies no matter what they say can't decrypt.
Victim 14 November 2021 10:08
I understand but in the demo they show us how they can do the magic and impress the management
Victim 14 November 2021 10:09
THey told us that they will recover the keys from the memory and then decrypt files? is that possible?
Hive 14 November 2021 10:09
For ESXi servers it's not possible
Victim 14 November 2021 10:11
why not? please educate me to I can understand and tell the management not to waste time. We have way too many vendors here
Hive 14 November 2021 10:12
The encryptor software rewrites the key from memory.
Victim 14 November 2021 10:13
what? 🙁 ... liek in simple words please?
Hive 14 November 2021 10:13
Array of bytes in memory where the key resides in rewrites to prevent such operation
Victim 14 November 2021 17:39
Thats awesome. Is this for all servers or only esxi?
Hive 14 November 2021 17:50
For all of course
Victim 14 November 2021 17:53
so if we end-up hiring a company that charges us $400 an hour, its pretty much useless?
Victim 14 November 2021 17:54
BTW, the array of memory that you mentioned, these are the public keys or the private keys?
Hive 14 November 2021 17:57
Encryptor even don't know anything about private keys. It only has public keys. Public keys need to encrypt random field which uses in encryption process.
Hive 14 November 2021 17:59
In my opinion spending money to external IT companies will only waste your valuable time.
Victim 14 November 2021 18:00
Thanks, appreciate it. Its clear to me now
Victim 16 November 2021 06:24
Hey, how much data have you stolen 100Gig?
Victim 16 November 2021 06:25
And the price you provided $20,000,000 is way too much
Victim 16 November 2021 06:25
This is 20 million $?????
Hive 16 November 2021 06:29
Yes, your company has $2B revenue. We usually rate 1% of revenue
Victim 16 November 2021 06:34
🙁
And the total you have stolen in GB?
Victim 16 November 2021 06:36
I am guessing you used the VPN to get on the network. Did you steal the credentials after that? SYmantec and McAfee didn't prevent stealing credentials?
Hive 16 November 2021 07:40
We have 32 Gb total.
Almost all AntiViruses are useless against real hackers.
Victim 17 November 2021 05:16
unfortunate but true
Victim 17 November 2021 05:17
For some reason the IT guy told us that they can see certain portion of files and they could be decrypted.
Victim 17 November 2021 05:17
I think you are only encrypting certain portion of files right? they can see the file content in bigger files
Hive 17 November 2021 05:31
There is a spotted encryption mechanism. If you are talking about ESXi files then I don't think they can. Some text files - yes
Victim 17 November 2021 05:35
I mean the big files are not fully encrypted. They are encypted at the header and then footer I think ... but in the middle one can see the text.
Hive 17 November 2021 07:33
It's true. First 4Kb, the last, and a few blocks in the middle
Victim 17 November 2021 08:34
But this is nto true for ESXi files? everything for them is encrypted?
Victim 17 November 2021 08:36
also how efficient is your encryption process? are you faster than lockbit2.0?
Victim 17 November 2021 08:37
we also got one file for lockbit but was protected that was few weeks ago
Hive 17 November 2021 09:36
I didn't compare it with lockbit but my software is quite fast, especially ESXi
Hive 17 November 2021 09:38
How is it going with decision making?
Victim 17 November 2021 09:43
its slow, we provided all the data and making sure they understand the complexity
Victim 17 November 2021 09:44
But for the esxi part, you don't use partial encryption? and everything is encrypted?
Victim 17 November 2021 09:44
not just 4kb header etc
Victim 17 November 2021 10:04
can you please explain 2 things to understand . Explain a bit more on how you re-write the keys in the memory and the efficiency of esxi encryption. That way I can explain to everyone as well, that no hope for recovery
Victim 17 November 2021 10:05
most probly I will ask for discount shirtly
Hive 17 November 2021 10:52
It's very simple. ESXi files especially virtual drives are very fragile. Even few changes make them unreadable because it has a binary structure.
ESXi was encrypted using spot method. 4 Kb of beginning of the files, 4 Kb of ending of the file and along file. Totally 100 Kb over the each file is encrypted. It's a quite enough.
Victim 17 November 2021 10:53
cool and the memory re-writing? as I understand you are not creating a new key for each file
Victim 17 November 2021 11:02
The memory overwrite is my last question. So I can make sure the SOC team understands
Hive 17 November 2021 11:11
When encryptor starts it creates a random field which will be used in encryption process. It is static. After encryption process finishes it rewrites to prevent restoration process. RSA keys private and public only use to encrypt/decrypt the random field. Only knowing the field it's possible to decrypt files. Encryptor has only public RSA keys, decryptor - private RSA keys.
Victim 17 November 2021 11:13
by random fields u mean aes?
Hive 17 November 2021 11:13
No, a truly cryptographic random field.
Victim 17 November 2021 11:15
like PRNG or truly random numbers?
Hive 17 November 2021 11:15
Of course not PRNG:)
Victim 17 November 2021 11:15
🙁
Victim 17 November 2021 11:15
can you give me an example
Victim 17 November 2021 11:16
so you have the origanal private key. The ransomware generates fields that will encrypt files? are these fields used as keys? for aes?
Victim 17 November 2021 11:17
You are one smart guy
Hive 17 November 2021 11:17
Actually I already disclose you a lot of details which was never disclosed to anyone. I think it's enough to make a decision.
Victim 17 November 2021 11:18
Thanks
Hive 17 November 2021 11:18
AES is a chiper, I use a different one - some kind of Vernam's chiper. It's impossible to decrypt without knowing the keys.
Victim 17 November 2021 11:27
that means only one key will be used for all files and then re-written
Victim 17 November 2021 11:27
so no way to get back
Hive 17 November 2021 11:31
In simplified version the key used to encrypt all files. It exports to the disk using a few RSA public keys applied. Then encryption process follows. After that the key rewrites to prevent recovery from memory.

Decryption software has RSA private keys to initially decrypt the exported key.
Victim 17 November 2021 11:40
Whats the BTC address or wallet?
Hive 17 November 2021 11:51
I made an offer at the right panel
Victim 17 November 2021 11:54
you came into the network via global protect. Are you still on the network?
Hive 17 November 2021 11:55
No
Victim 17 November 2021 11:55
you are very honest for a hacker
Hive 17 November 2021 11:56
We are all honest who works at Hive
Victim 17 November 2021 11:57
but they say you hacked hospitals like [redacted] etc
Hive 17 November 2021 11:58
Yes, we attack every targets, we have no limits here. It's not related with honesty
Victim 17 November 2021 11:59
Got it
Victim 20 November 2021 18:07
I think the time is up 🙁
Hive 20 November 2021 19:58
Don't worry you have time. Tell me how is it going with upper management please
Victim 24 November 2021 04:57
working on it, tough situation
Hive 29 November 2021 07:02
Hi, how is it going?
Victim 3 December 2021 15:53
good thanks
Victim 3 December 2021 15:56
how r u
Hive 3 December 2021 16:17
I'm good too. I just wanted to know to what direction your company inclined right now.

By the way, what about a recovery process from memory from recovery company you told earlier?
Victim 5 December 2021 05:26
They think the recovery is possible
Victim 5 December 2021 05:26
also backup etc
Hive 5 December 2021 06:06
Let's play with the price. I think both your management and our side want to resolve this as quick as possible
Victim 6 December 2021 08:57
Whats the best price?
Victim 6 December 2021 08:58
I am not sure if 333 is even remotely possible
Victim 6 December 2021 08:58 Read
They won't even consider 80 a possibility
Hive 6 December 2021 11:01
I can offer you $3,000,000 in Bitcoin.

Auteur/autrice

sdgadmin@tux.ovh