Ransomware negotiation(s) with
akira
Hello, we are with [redacted], and am writing to understand how we can get our data back please.
Hello we are with [redacted], we are writing you as you asked. How do we go about geting our data back please.
Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization?
Hi, ok we are waiting to hear back from you. Understanding the data taken is important to us. Yes, I am the negotiator with our firm and will be here on behalf of our bosses. Thank you.
Great. Please wait for the list of data we took. We need a bit time to sort this out.
These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
Ok, thank you for this. We will go through the list and get you the names of a few files.
We are intertested in the whole deal please. How much of a price are you wanting?
I will let you know shortly. We're analyzing your financial papers to come up with a fair amount.
So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $3,500,000 price for ALL the services we offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price. Atm, we highly recommend that you refer to your cyber insurance to cover our amount quickly minimizing all upcoming risks.
Hello, thank you for this. I am sending all of the above to the bosses.
Can we get these 3 files back please.
2023-01-30 12:21 188495 188495 Shared Data\[redacted].pdf 2023-01-30 12:21 191586 191586 Shared Data\[redacted].pdf 2022-12-12 18:41 20922 20922 Acct HR Contracts\[redacted].docx
Hello. We will provide the files shortly.
[redacted].docx // 20.8 KB
Here are the files. You can share some files for a test decryption.
Thank you for all of this. We are reviewing the listings. Is this all of the data you took? HOw much total? We are also working on getting some files for test decryption and should have them Monday.
We took everything you see in the list. 560GB in total. We are waiting for the files on Monday.
Ok, I will send this to the bosses, thank you.
Standing by. The faster you act, the more loyal my bosses are.
WE are locating the files, hard to find smaller ones. I should have them to you tomorrow.
You need to act a bit promptly. We are waiting for the files.
[redacted].iso.akira // 7.63 MB
Can you please decrypt this. We can try to find more smaller ones if needed.
[redacted].iso // 7.63 MB
Here is the file. Let's move to payment details. Do you need all five options we offer?
At this point we may not need a key at all for our files back. What would the amount be if we do not want our data published?
Options 2-5 will be $1,350,000.
I will relay this to the bosses. Be back in touch.
Speed things up on your part please. We can't drag this out anymore.
We will be seeing what type of funds we can come up with over the next few days, it is a weekend as well so our bank is closed. This is a large amount of money, can you do this for less if we can get the funds over quickly come early next week? Also, as we keep talking, please do not leak our name or data, we are wanting to resolve this too. Thanks.
My management often gives discount to clients who work promptly. If you offer on Monday will be good enough, we will move towards you, I think.
I will let the bosses know, be in touch Monday
Hello. What have you decided?
We are huddling up today to see what we can come up with quickly. Be back in touch after our meetings.
Ok, it seems we will have to post your data.
Hello, sorry for the delay we are trying our best and trying to continue operations. After reviewing the data and where we are at, we can get you quickly, 24 hours, $135,000 USD. Will you accept so we can close this out? Thanks.
Just ridiculous! You can keep your 10%. Your data will be posted this week.
we are offering real money and talking in good faith, if our data/comapny is posted, we cannot. I have let the bosses know your last message, they are huddling back up, we will be back in touch. Please standby
We're standing by for a real money, a real fair offer. Now you're talking nothing, no value for us AT ALL.
For where we are at, what data is in play here, we are willing to come to an agreement for $250,000.00 USD. More than this will require lots of approval. Please let's come to an agreement. Thank you.
I'll pass this to my team.
Well, the leadership is extremely upset by the progress of this negotiations. I'm authorized to negotiate until Friday. So we agree to accept $500,000 if paid by Friday. Any other amounts will be rejected and your data will be published early next week. You have a little time to come up with a decision, because from our side it has already been made and is not subject to revision. Waiting for your reply.
Hello, we have talked to the boses, they will accept your offer. WE have to work on the payment and are hoping it can come by Friday, keep in mind this is new to us and getting the BTC. Where are we to send the money?
I will provide you with a BTC wallet ID in a few minutes.
Here is is please: [redacted]
Please keep in mind that Friday is your deadline. Speed things up on your part and we will get this over.
We are in the works of this. We reach deal with you and in good faith am working on payment. Thank you.
Hello, I will let you know the status tomorrow morning, things are in the works.
The payment should have arrivee. Please verify and let us know when we get our deliverables. Thank you
We have received the payment, thank you. Please wait for all the promised materials within 24 hours.
Hello, when can we expect our end of the agreement please? Thank you.
We will provide in an hour.
Deletion log file.rar // 8.24 MB
Here is the file. Please review.
Ok, thank you for this. How about the security report of how you got in?
Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just brooted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.
Ok, thank you. Do you know the creds you used? Who is the name, what type of system?
I'll try to find out that from my tech team.
Any word back on which credentials were used from dark web?
Unfortunately, we do not have this information since your case was closed.
This information is provided by Valéry Marchive & Julien Mousqueton