Negotiation Chat – BlackBasta
Chat ID: 20221229
Our managers just told me they are meeting about this situation and how to pay you. They are asking if you can give us a list of the data you took. Can you please give a list of the files you downloaded?
17:29
Sure, wait please.
17:32
Download file: [redacted].zip
17:39
This is the full list of your taken data. You can choose any 3 file names from list and I will send them to you, like a proof. But these files must not contain the important information.
17:41
Thank you very much!
14:49
We wait your files.
14:52
Here are the three files:
12:38
Company/_SALES AND MARKETING/1_Client Services/1_Account Management/[redacted]/2020/[redacted] Data Transfer Agreement [redacted] - signed.pdf
HR/Employee Files/Current Employees/[redacted]/[redacted] SIGNED.pdf
Company/_SALES AND MARKETING/1_Client Services/Contracts/[redacted] Contract/[redacted] partner agreement.pdf
12:38
OK, wait please.
05:10
Download file: [redacted].zip
05:15
These are your requested files.
05:15
Thank you. I will give these files to my manager.
10:48
We'll be in touch.
10:49
They asked me today if you will give us some kind of proof when you delete the files? Also, they asked what is the method to pay you? Is it wire transfer? They will have a meeting tomorrow with the executives, so they are asking these questions. Thank you.
23:19
After deleting files, we will send you a full deletion log. As for the payment, - we accept the payment in cryptocurrency bitcoin.
03:24
Okay, thank you. They have another question about the payment. When you said $700,000, did you mean Canadian dollars? They just want to be sure since our company in in Canada, not in the USA.
16:42
No, we mean US Dollars.
16:45
Okay. Our executives have analyzed everything with the information you provided. They told me to tell you that they can agree to pay $250,000 US dollars within 24 hours if you can accept that amount.
04:57
No, we don't agree. Our price is $700,000 ,but we can give you 20% discount if you pay during 48 hours. If you don't pay for this time, then the price will become initial.
05:44
Hello. Our company leadership has been working to meet your demand. We are now able to pay you $500,000 US dollars, but we have to pay a lot of money for the conversion from Canadian dollars to US dollars. We also checked on how to send the payment and we have to pay a large fee for sending the bitcoin.
00:34
Can you please accept the payment as $500,000 US dollars? That way, we still have some money to pay the fees for conversion and for the bitcoin? Thank you.
00:36
Also, if you accept this, please send us the wallet address for the bitcoin payment. We already have the company to send the payment but they asked us for the bitcoin address. Thank you.
01:52
OK, we agree. After payment:
1. You receive decryptors.
2. Your page will be totally deleted from the blog.
3. ALL your data will be deleted and you will receive the full deletion log.
4. You will get penetration report and recommendations how to avoid such the situations in the future.
5. You receive the guarantee that BB or anyone of our team will not NEVER attack you again.
Our BTC wallet: [redacted]
06:48
Okay, thank you! We will work to send the payment quickly today.
11:10
We'll be in touch.
11:11
Hello. We have everything ready to send the payment to you now, but our executives would like to send a small payment first so you can verify that you received it. Then, we can send the rest. They are just nervous about using bitcoin for the first time.
22:53
is it okay to send you the small payment first and then send the rest right after you tell us you received it?
22:54
also, please verify the wallet address again as: [redacted]
23:16
Just a minute
00:45
We confirm this address [redacted]
00:46
We are waiting your test payment
00:56
thank you. will we be able to send the second payment to the same address? I mean both payments will go to the same wallet?
01:10
Yes
01:11
thanks.
01:12
The company doing the payment for us just told me they are sending 0.43 BTC now as the test payment.
01:19
Please confirm when you receive it.
01:24
Confirm 0.43000000 BTC
01:34
thank you.
01:38
Payment received.
Your blog was deleted. Now your data is wiping.
03:06
Download file: [redacted].rar
03:23
This is log of deletion all your taken data.
03:24
Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments.
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.
03:24
thank you for the fast response. when can we get the decryptor?
03:33
Very soon.
03:33
Now is preparing decryption tools.
03:34
thank you
03:34
Download file: [redacted].exe
06:53
How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.
OR
1. Drop file.
2. Click right mouse button on the file and press run as admin.
(!) IMPORTANT
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
OR
1. Drop file.
2. Click right mouse button on the file and press run as admin.
(!!!!!!!) IMPORTANT
1. You can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself.
06:54
thank you
12:20
Thank you. the decryption is working on our test files. Is it possible for you to tell us which employee opened the attachment file in the email? either the employee name or the name of the computer? That would help us very much. Thank you again.
16:39