Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

victim Monday, 29 July 2024 15:37:56
Hi
fog Monday, 29 July 2024 15:40:39
hi
fog Monday, 29 July 2024 15:41:22
I will give you details in a minute
fog Monday, 29 July 2024 15:47:24
[provides a plain TXT files list]
this is what has been taken from your network
victim Monday, 29 July 2024 16:34:00
What are the instruction to restore our data?
victim Monday, 29 July 2024 17:21:31
Hi are you there?
fog Monday, 29 July 2024 17:53:48
I will give you instructions after payment
victim Monday, 29 July 2024 18:11:40
What payment?
fog Monday, 29 July 2024 18:15:24
If you want your data fully decrypted and the files we stole removed from our source, you will have to pay a fee. We will also be able to provide a security report and explain how we did it to get in. I will give you our demand soon.
victim Monday, 29 July 2024 19:59:48
Any news?
fog Monday, 29 July 2024 20:07:44
If you need a proof we indeed possess your data, send me a couple of directories to the files you want to see. To test our tool, send me 3 random encrypted files and we will decrypt them for free. Our demand is $200,000.
victim Tuesday, 30 July 2024 09:53:26
Hello, we don't know how to make the payment or how to facilitate it for you. On the other hand, we are a very small company and cannot afford the payment you are mentioning. What options do we have? And about the three files what is the procedure?
fog Tuesday, 30 July 2024 10:36:45
As for the files, if you need a proof we indeed possess your data, send me a couple of directories to the files you want to see. We can provide you with a $20,000 discount if you pay us this week. The price is fair for your company.
victim Tuesday, 30 July 2024 13:40:45
We are willing to cooperate, but the amount requested is far beyond our capabilities as a small company. We can offer a smaller sum and pay it as soon as possible. Additionally, we need to clearly understand the payment process and the guarantees we have to securely recover our data. Please provide detailed instructions on how to proceed and assure us that we will receive all our data without further issues
fog Tuesday, 30 July 2024 14:16:50
I can't give you an additional discount until I see your number. The price can be increased at any second if you keep haggling like this.
victim Tuesday, 30 July 2024 14:20:59
What number do you mean?
fog Tuesday, 30 July 2024 14:28:00
The number you are ready to pay at the moment.
victim Tuesday, 30 July 2024 14:59:21
We can offer $120,000 and want to be transparent, avoiding a prolonged negotiation. Additionally, we need to understand how to make the payment. We will provide several files for you to decrypt to verify your capabilities.
fog Tuesday, 30 July 2024 15:16:50
$120,000 is not a bad offer but I can't accept this. I also want to avoid a prolonged negotiation, so our final price is $150,000. You have 2 days to gather the rest $30k and we will be done with it. I will give you our wallet for payment later.
victim Tuesday, 30 July 2024 16:03:24
We are agreeable to proceeding with the following conditions: First, we will provide several encrypted files for you to decrypt as proof of your decryption capabilities. Following this, we will make an initial payment of $120,000 in exchange for the instructions and necessary tools to decrypt the rest of our systems. Once we have successfully recovered our data, we will make a final payment of $30,000. In return, we expect a report detailing how the attack was carried out and confirmation that all our data has been removed from your possession and any related systems
victim Tuesday, 30 July 2024 16:04:57
[provides a zip archive of encrypted files]
fog Tuesday, 30 July 2024 16:35:49
tell is there the file named "auth.log.fog.savepoint" somewhere near the file "auth.log.fog"?
victim Tuesday, 30 July 2024 17:04:09
We couldn't find the file you mentioned, could you tell us where this file should be located and what it contains?
fog Tuesday, 30 July 2024 17:39:30
it should be in the same directory with the file auth.log.fog that your gave me
victim Tuesday, 30 July 2024 17:40:44
Isn't in this directory
fog Admin 19:02:03
[provides 2 decrypted files]
I will give you everything right away when I received the full 150k payment. Let's resolve the issue quickly.
fog Admin 19:03:52
[redacted] this is id for payment
victim Admin 19:09:35
We understand your position, but we must adhere to our agreed-upon model. We need to follow the steps we outlined previously: first providing a portion of the payment, receiving the necessary decryption instructions, and then completing the full payment upon confirmation. Additionally, specify which cryptocurrency it is for the payment.
fog Admin 19:27:14
We work with bitcoins. We cannot violate our policy, which means we cannot accept fractional payments.
victim Admin 20:32:49
Once the payment is made, how does the decryption process work? What guarantees do we have that all our data will be fully recovered and secured? We also want to understand what you will provide to us after the payment. Please understand that we are concerned due to our lack of experience with situations like this and need reassurance that everything will be resolved properly.
fog Admin 20:48:18
Once the payment is made, you will get the .exe files that you will need to run on your systems (win or esxi) to decrypt your files. We guarantee that you will be able to recover all the encrypted data. We will give you a deletion log file which means the files we stole .were removed from our source.
victim Admin 21:08:16
We need to finalize the financial and legal aspects on our end before proceeding with the payment. Once everything is ready and the payment is made, we will notify you immediately.
fog Admin 21:14:23
Standing by, thanks.
victim Wednesday, 31 July 2024 08:08:12
We are currently reviewing the payment method, and since we are not familiar with this process, we are unsure how to proceed. Could you explain how this is typically done and which services are usually used? We want to ensure that everything is handled correctly.
fog Wednesday, 31 July 2024 09:34:36
see the link https://www.csoonline.com/article/570047/how-to-buy-bitcoin-for-ransomware-payment-if-you-must.html
victim Wednesday, 31 July 2024 09:54:27
Thanks ,we are checking, but the registration process and validation will take some time.
fog Wednesday, 31 July 2024 10:38:24
sure
fog Wednesday, 31 July 2024 14:10:07
How's your progress with that?
victim Wednesday, 31 July 2024 14:39:30
The cryptocurrency purchase platform needs to verify the user, and this won't be completed until tomorrow. The process is turning out to be quite long and complex for us.
fog Wednesday, 31 July 2024 14:52:24
tell me when you have updates
victim Wednesday, 31 July 2024 15:21:43
Sure
victim Thursday, 01 August 2024 09:37:55
We have conducted an initial test to verify that the process we're following is correct. Could you confirm that you have received the first transfer of $5? Meanwhile, we are in the process of acquiring the total amount of cryptocurrency needed for the full payment, but it is taking some time.
fog Thursday, 01 August 2024 10:00:09
I received 0.000082
victim Thursday, 01 August 2024 10:29:02
Okay, we are in the process of obtaining the full amount. Once we have it, we will proceed with the transfer.
victim Thursday, 01 August 2024 10:29:43
Once the payment is received, what are the next steps?
fog Thursday, 01 August 2024 10:43:53
I will give you the decrypter after I see the money in the wallet
fog Thursday, 01 August 2024 10:44:05
and instructions of course
victim Thursday, 01 August 2024 17:18:25
We are gathering the payment in the exchange, but we need to proceed gradually with the euro money transfers to the wallet. I believe we can have it ready in less than 48 hours. Maybe in 24 hours. I'll keep you informed.
victim Thursday, 01 August 2024 17:20:04
From the moment we make the payment transfer, how long will it take you to send me the decryptors for Windows files and virtual machines? Will you send them here, or should I give you an email?
fog Thursday, 01 August 2024 19:20:05
I will send the decrypters via this chat after full sum received
victim Friday, 02 August 2024 12:29:16
Hi, I already have the funds available. I'm going to make a small test transfer from this wallet, and then the rest will be ok?
fog Friday, 02 August 2024 12:43:01
Sure. But you have already sent a test amount of 0.000082 BTC. Anyway, you can send another one.
victim Friday, 02 August 2024 14:14:33
Please give me 3 hours and we will proceed. I write to you here. Thank you.
fog Friday, 02 August 2024 14:36:49
Standing by.
victim Friday, 02 August 2024 15:48:05
Hi, we just did the test transfer. Please tell me everything is ok.
victim Friday, 02 August 2024 15:48:29
When you verify it we make the final large transfer.
fog Friday, 02 August 2024 15:59:04
I see 0.003 confirming
victim Friday, 02 August 2024 15:59:37
ok Sr.
victim Friday, 02 August 2024 16:00:15
We proceed to make the payment. Can you confirm that I will have the decrypters instantly please?
victim Friday, 02 August 2024 16:18:32
You're online?
fog Friday, 02 August 2024 16:19:23
I can confirm
victim Friday, 02 August 2024 16:19:47
ok, thanks. wait a minute please
fog Friday, 02 August 2024 16:20:01
ok
victim Friday, 02 August 2024 16:21:36
we are working on it, give me just 2 minutes. please prepare the decrypters to send me.
fog Friday, 02 August 2024 16:22:13
preparing
victim Friday, 02 August 2024 16:26:27
it's OK.
victim Friday, 02 August 2024 16:26:34
Transfer OK.
victim Friday, 02 August 2024 16:29:42
It has arrived, can you confirm it for me?
fog Friday, 02 August 2024 16:30:49
confirming
victim Friday, 02 August 2024 16:30:57
Thanks!
fog Friday, 02 August 2024 16:31:01
give me a minute
victim Friday, 02 August 2024 16:31:15
ok, sr.
fog Friday, 02 August 2024 16:44:47
Esxi

chmod +x unlocker
./unlocker --id [redacted] --log --target "/vmfs/volumes/"

Windows
unlocker.exe -nomutex -console -target \\SERVER\C$
unlocker.exe -nomutex -console -target C:\
fog Friday, 02 August 2024 16:45:06
[provides a zip file with the decryptor]
victim Friday, 02 August 2024 16:48:51
OK, we'll try it out and I'll write to you if there are any questions or problems. Thanks.
fog Friday, 02 August 2024 17:14:35
ok I am here
victim Admin 18:45:50
[provides a PNG file]
It gives us an error with the ESXI, I attach an image
victim Admin 19:03:42
maybe too many files on the machine?
fog Admin 19:14:23
specify one vm in directory of decrypter
victim Admin 23:08:27
we are having some problems. I leave you screenshots:[provides 2 PNG files]
victim Admin 23:11:35
I am attaching the files that we cannot decrypt. Let's see if you can help us since they are very important to be able to operate:[provides 3 TXT files]
victim Admin 23:13:47
We have carried out the test of specifying a machine instead of a folder and it does not give an error, but it does not decrypt either.
victim Admin 23:14:03
It is a very serious problem for us. Please, help.
victim Saturday, 03 August 2024 06:42:29
For example, these files are impossible to decrypt (and they are small):[provides 8 .FOG files]
fog Saturday, 03 August 2024 08:12:52
my team is working on it
fog Saturday, 03 August 2024 09:05:55
how many vms did you already fix and run?
victim Saturday, 03 August 2024 10:08:09
We are very concerned because those machines are the SAP and two other environments we use to operate the business. Without these environments, we cannot function. Let me tell you which machines they are:
victim Saturday, 03 August 2024 10:08:36
1 - [redacted]-flat.vmdk
1 - [redacted].vmdk
0 - [redacted]-flat.vmdk
0 - [redacted]-flat.vmdk
[redacted]-flat.vmdk
[redacted]-flat.vmdk
0 - [redacted]-flat.vmdk
0 - [redacted].vmdk
[redacted]-flat.vmdk
[redacted]-ctk.vmdk
victim Saturday, 03 August 2024 10:08:57
And swap files:

vmx-[redacted].vswp
vmx-0 - [redacted].vswp
vmx-[redacted].vswp
vmx-[redacted].vswp
[redacted].vswp
victim Saturday, 03 August 2024 10:09:22
And .vmsd file:

0 - [redacted].vmsd
victim Saturday, 03 August 2024 10:10:06
And also many other files in .log format that are secondary and not needed to start the machines.
victim Saturday, 03 August 2024 10:10:45
How can we solve this? Do you need me to share more files that we cannot decrypt?
victim Saturday, 03 August 2024 10:11:10
I have shared some small files above that cannot be decrypted.
victim Saturday, 03 August 2024 10:12:03
All the files we cannot decrypt are these (I already listed them above, but here they are again for your reference):
victim Saturday, 03 August 2024 10:14:42
This is very urgent because we cannot operate the business without it. We have tried everything possible. We have tried decrypting locally, on other machines, specifying directory paths, and the final paths of the machines.
fog Saturday, 03 August 2024 10:51:40
there are some options for solving this
fog Saturday, 03 August 2024 10:52:59
start decryption of the following folders using --threads 16
/vmfs/volumes/[redacted]/
/vmfs/volumes/[redacted]/
/vmfs/volumes/[redacted]/
/vmfs/volumes/[redacted]/
/vmfs/volumes/[redacted]/
fog Saturday, 03 August 2024 11:02:31
when you have 'error open file' try to recheck permissions of a file copying it to another folder because permissions could change. use the command ls -la. Example: -rw-r--r-- 1 root root 8024 Aug
Decrypter should be run as host
file permissions -rw
If host and permission don't match, then change host using 'chown' or change permissions using 'chmod'
fog Saturday, 03 August 2024 11:03:33
Or another options is to try replace a file to another folder an run decrypter to decrypt exactly this one file
victim Saturday, 03 August 2024 11:06:17
ok let's try it.
victim Saturday, 03 August 2024 11:26:12
Using -- threads 16 and other parameters that we have tried does not work, I attach an image:[provides a PNG file]
victim Saturday, 03 August 2024 11:26:43
Let's test the permissions issue of the second option. However, we run it as root.
victim Saturday, 03 August 2024 11:27:03
We tried the third option yesterday and this morning and it doesn't work for us.
victim Saturday, 03 August 2024 11:27:14
Now I'll tell you about the issue of permissions.
victim Saturday, 03 August 2024 12:21:04
None of the options work.
victim Saturday, 03 August 2024 12:21:33
Without these files we cannot operate, they are the core of the organization.
victim Saturday, 03 August 2024 12:22:30
Do you want me to upload virtual machines to the cloud, or give you access to a system?
victim Saturday, 03 August 2024 12:22:46
please help
fog Saturday, 03 August 2024 13:10:04
my team is working on the trouble
fog Saturday, 03 August 2024 13:52:08
Upload to the cloud we will fix the file
victim Saturday, 03 August 2024 13:58:04
OK sr. Thanks!!!![provides a .vswp.fog file]
victim Saturday, 03 August 2024 17:52:52
I'm sending you this small file so that your team can analyze why the decrypter doesn't decrypt. We followed all your instructions. Let's see if you can try it in your environment. It's 83Mb of file so you don't have to pass anything bigger that is difficult to handle.
victim Saturday, 03 August 2024 18:19:43
[provides a JPG file]
In this image more information with the permissions:[provides another JPG file]
fog Saturday, 03 August 2024 18:43:48
ok
fog Saturday, 03 August 2024 18:43:53
wait
victim Saturday, 03 August 2024 18:45:15
Thanks!!!!
fog Saturday, 03 August 2024 18:59:50
I will have news for you most likely on Sunday
victim Saturday, 03 August 2024 19:08:42
OK, thank you very much for your attention. We will be waiting for your news.
fog Saturday, 03 August 2024 22:02:43
send me vmdk or vmdk-flat file
victim Saturday, 03 August 2024 22:15:08
In a few hours you will have the files in a repository. Does that seem okay to you? This way we will not be able to share so many gigabytes. Thank you very much, without these virtual machines our entire company cannot work. It is the core of the business.
victim Saturday, 03 August 2024 22:15:21
Thank you very much
victim Sunday, 04 August 2024 11:30:20
We almost have a machine uploaded to the cloud to share the link with you. We have uploaded a "small" 1.2Gb file of those that also cause problems and are on critical routes for us:
victim Sunday, 04 August 2024 11:30:27
https://[redacted].log.fog
victim Sunday, 04 August 2024 11:30:56
Give me a few minutes and I'll send you the link for the vdmk machine
victim Sunday, 04 August 2024 11:31:36
Thank you for your help. Without these operational vdmk machines our company would go bankrupt.
victim Sunday, 04 August 2024 11:38:18
We have the vdmk uploaded to the cloud. I am sending you credentials:
victim Sunday, 04 August 2024 11:38:36
sftp://[redacted].vmdk.fog
victim Sunday, 04 August 2024 11:38:54
Password: [redacted]
victim Sunday, 04 August 2024 11:39:49
We are waiting for your news. With these files and the 83Mb one I sent you earlier that is also causing problems, I think your programmers could see what is wrong with the decrypter.
victim Sunday, 04 August 2024 11:40:24
We are very concerned because all the critical files of vmdk virtual machines are in this situation. (8 machines)
fog Sunday, 04 August 2024 13:08:02
got it
fog Sunday, 04 August 2024 13:08:43
I wait for something from my team
victim Sunday, 04 August 2024 13:37:47
Thanks
victim Sunday, 04 August 2024 17:34:18
Hi, sorry to bother you. I wanted to know if we'll receive any updates today on how to resolve the file decryption issues. We are overwhelmed as we cannot decrypt files like the ones I mentioned in the conversation. Thank you, sorry for the insistence.
victim Sunday, 04 August 2024 17:36:02
Please, if you don't help us, our company will close, and we will lose our jobs.
fog Sunday, 04 August 2024 17:56:36
we will help
fog Sunday, 04 August 2024 17:56:43
wait
victim Sunday, 04 August 2024 18:03:19
Thanks!!!!
victim Sunday, 04 August 2024 22:29:58
Can we turn off the SFTP machine where we have uploaded the .vmdk file?
victim Sunday, 04 August 2024 22:30:35
We can leave it active if necessary.
fog Monday, 05 August 2024 06:33:17
let it be active for some time
victim Monday, 05 August 2024 06:42:52
Ok thanks
fog Monday, 05 August 2024 11:25:13
try to copy a vmdk file to a separate folder and run it after removing extension .fog
victim Monday, 05 August 2024 12:55:22
OK,wait a moment.

Auteur/autrice

sdgadmin@tux.ovh