Ransomware negotiation(s) with  akira



Avatar

Hello there

Avatar

Anyone there

Avatar

How do we obtain a recovery key?

Avatar

akira_readme.txt // 2.68 KB

Avatar

HELLLOOOO!!!!

Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

Avatar
Avatar

Yes

list.txt // 208 KB

Avatar

These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

Avatar
Avatar

Whole data

Avatar

Hello

Avatar

Hello

Avatar

Hello

Avatar

Hello

Avatar

Hello

Avatar

Hello

Wait a bit.

Avatar
Avatar

Hello

So, we've gone through your files to define your financial abilities. We're willing to set a $275,000 price for ALL the services we offer.

Avatar
Avatar

i would like to appeal to you. We are a small company of only 5 employees. We are willing to pay, we just need this to be a resonable amount that we can afford to pay without going bankrupt. Please reconsider and we will like to work with you.

Avatar

We have to pay out of pocket, we do not have any insurance for this.

Show me what do you have now and I'll talk to my team.

Avatar
Avatar

i have 50K i can spend now.

We won't be able to settle this at 50k. I think the best we can offer is a 50k discount but I need to talk to my team. We work with 6 figures only.

Avatar
Avatar

if you can work with 6 figures can you do 100K? i dont have that cash at the moment but i can get a loan. Can we start with a few VMs to prove it works?

$175,000 and we will get this over. We can't go any lower. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 mb each to our chat and we will upload decrypted copies back.

Avatar
Avatar

please reconsider. can you take 125K? it will be a struggle at that price for us.

Guys, first of all, 100k discount seems huge enough. Secondly, we've set a fair price initially, so you can handle that with no problem. Let 175k be the final number since this way both of us are satisfied.

Avatar
Avatar

how long can you give us to come up with the money?

The discount is available till Saturday.

Avatar
Avatar

can you tell us how we need to go about paying you?

We accept payments in bitcoins. To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: https://www.coinbase.com/how-to-buy/bitcoin https://www.binance.com/en/how-to-buy/bitcoin You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only.

Avatar

Let me know when you are ready and I'll provide our wallet id.

Avatar
Avatar

Hold on. My team is working with the finance department to see what additional funding (if any) we are able to come up with. In the meantime we have some additional questions. Can you provide the following files (below), let us know how much data was taken, and is the file list you provided a full file list? E:\[redacted].pdf E:\[redacted].pdf E:\[redacted].pdf E:\[redacted].pdf E:\[redacted].pdf E:\[redacted]3.pdf E:\[redacted].pdf

This is the complete list. We have about 2gb of data. The files will be provided shortly.

Avatar
Avatar

Our finance department needs additional time to see if they can find additional funding, we will need a few more days. But I will keep you updated as much as possible.

Make everything ready by Tuesday. We'll close the deal.

Avatar

files.rar // 711 KB

Avatar

You can review the files.

Avatar
Avatar

downloading now and will review with my team. can you decrypt these files for me.

Avatar

encrypted.zip // 19 KB

I'll upload them decrypted soon.

Avatar

decrypted.zip // 9.88 KB

Avatar

You can check the files.

Avatar
Avatar

thank you, downloading these now. i will keep you updated.

Avatar

After careful consideration and very extensive discussions, we have reached our maximum budget capacity of $135,000. It's important to understand that this figure already stretches our financial limits well beyond the available funding. The amount we're proposing is a significant six-figure sum that we are paying out of our personal pockets. Please accept! we can make payment immediately. Please recognize our constraints and work with us.

We see your intentions to resolve this so we can accept $150,000 and close the deal. There is a little gap between us and I think there shouldn't be a problem for you. Here is our BTC wallet [redacted]. Let me know how soon can we expect the transfer.

Avatar
Avatar

We appreciate the additional discount. However we explained to you our financial situation and we cannot come up with that amount. I have been authorized to offer you 140k. Any more than that amount will put us out of business. It is still a significant six figure payment to you. Please accept, and let’s both walk away happy.

ok you can send $140k to the same wallet from my previous message. How soon can we expect the transfer?

Avatar
Avatar

Just to confirm we pay you $140,000 to BTC wallet [redacted] today, in return we will receive whole network decryptors, a deleteion log showing you deleted our data from your servers, a security audit report in detail on how you attacked us, a promise to never attack our company again, and the Domain Admin password to our AD environment to begin recovery as it was changed and we cannot login.

We confirm the terms and the wallet id [redacted]

Avatar
Avatar

thank you, we are preparing to send.

Avatar

payment has been sent

Avatar

https://mempool.space/tx/[redacted]

Received. Please wait.

Avatar

unlocker.7z // 1.77 MB

Avatar

unlocker.exe -p="path_to_unlock" unlocker.exe -s="C:\paths.txt" where "paths.txt" is a list of paths for the decryptor, each path on a new line ESXi commands 1) chmod +x unlocker 2) ./unlocker -p="/vmfs/volumes"

Avatar

You will receive the rest within 24 hours.

Avatar
Avatar

can you give us the domain admin password? we are unable to login

Yes. Please wait.

Avatar
Avatar

we are having issues with a large file. it is 5.3tb the error is below

Avatar

file_logger error Open file with share check!

I'll pass this to my team. Pleas wait.

Avatar
Avatar

can you provide the domain admin login

net user [redacted] [redacted] /dom net user [redacted] [redacted] /dom

Avatar
Avatar

thank you. additionally we were able to decrypt the large file without error. when can we expect to receive the remaining deliverables?

You will receive it within next 24 hours. Sorry for delay.

Avatar
Avatar

okay thank you

log_erase [redacted].txt // 2.06 KB

Avatar

Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer. 2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources. 3. Install 2FA wherever possible. 4. Use the latest versions of operating systems, as they are less vulnerable to attacks. 5. Update all software versions. 6. Use antivirus solutions and traffic monitoring tools. 7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one. 8. Use backup software with cloud storage which supports a token key. 9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We guarantee that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.

Avatar

This information is provided by Valéry Marchive & Julien Mousqueton