you have 110GB of our data? what data is it?
14:58
Wait please, we'll send you the list of your taken data.
15:49
Download file: [redacted].rar
16:01
You can choose any 5 file names from this list and we will send them to you, like a proof.
16:02
ok thank you we will take a look
14:04
does this list represent all of the data you took?
15:00
Yes, this is full list.
15:08
Here are the files that leadership has requested: Paperless\EMAILS 2020-2022\[redacted].msg
Vol4\[redacted].docx
Vol4\[redacted].pdf
Vol4\[redacted].pdf
Vol4\USER\[redacted].doc
14:14
Download file: [redacted].rar
14:27
These are requested files.
14:27
Ok. We are having internet issues. Everyone is working from different locations. I will give these to leadership to review. No one will be back until Monday. I will write you then
13:41
Understood. Wait you on Monday.
13:43
How do we know that your decryptor will work for our systems?
13:18
You can send some encrypted files, we decrypt them and send back to you. But these files must be unimportant.
14:14
Ok, I will have leadership choose some files.
16:37
Download file: [redacted].jpg
14:17
Download file: [redacted].doc
14:17
Here are two files that leadership chose.
14:18
Download file: [redacted].jpg
14:31
Download file: [redacted].doc
14:31
Ok, I will show these to leadership and will be back in touch with you
14:55
My leadership has a meeting scheduled with the board on Monday afternoon. Before that meeting, is there any cost breaks that you could provide us? This event has had a significant impact on our company.
13:46
10% discount for you and we close the deal.
15:09
Ok, I will provide this to my leaders and I will be back in touch on Monday afternoon.
13:53
Okay, we'll be in touch.
15:39
Our leadership wants this to come to an end for both of us so we can get back to normality. They would like to offer $39,250 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please accept this offer so we can move on.
20:33
Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.
20:36
We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted], [redacted], [redacted], [redacted], [redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.
16:36
What is meager to you, is not to us. Since this event we are struggling to get operational and have experienced tremendous losses. Leadership is prepared to offer $44,990 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please consider this offer as we are trying to get our business back operational.
17:18
We are ready to help restore all your systems and files to their original state very quickly, but the minimum amount we can accept is $150k. Less payment is not possible. Therefore, tell your manager if he wants to make a deal, then he look for this amount. If not, then further negotiations are pointless.
17:43
Leadership is prepared to accept your offer of $150,000 with all fees included. This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again. Please send us your bitcoin wallet ID so we can proceed with payment.
13:27
Okay. We confirm all points. Our BTC wallet is [redacted]
14:06
Ok. This may take some time, but please confirm when you receive payment. I will write you when it is sent.
18:49
payment was made. Can you confirm please
18:51
Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.
18:54
Your data is wiping.
19:06
Thank you. I will stand by for all the agreed upon deliverables.
19:07
This is log of deletion ALL your taken data
Download: https://qaz.im/load/[redacted]
Delete: https://qaz.im/index.php?a=delete&q=[redacted]
19:40
Download file: [redacted].ex
23:44
How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.
OR
1. Drop file.
2. Click right mouse button on the file and press run as admin.
(!) IMPORTANT, READ ALL BEFORE DECRYPTION PROCESS
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
3. MAKE BACKUPS of important files what you will decrypt, then you can rerun decryptor if something happens
4. You can decrypt partially encrypted files:
4.1. Make backup
4.2. Add encrypted extension (random for every company, you can ask in chat) to file
4.3. Run decryptor to folder what contains file
4.4. Now you can test file
5. Every decryption process saves file in same location with name of decrypted file with extension .kbckp. In this file you can find individual chacha keys for better recovery experience.
6. You can ask in chat about ECC keys (used to encrypt chacha keys) for your company.
7. Make sure you have at least 10 gb of free space on each disk.
8. To choose folder on linux decrypt.linux -forcepath /path
23:44
Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments.
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.
03:02
This information is provided by Valéry Marchive & Julien Mousqueton