Negotiation Chat — BlackMatter
Negotiation chats provided by Valéry Marchive and Julien Mousqueton.
Chat ID: 20210907
Hello and welcome to BlackMatter. How may I help you?
07 Sep, 00:44 AM [NY time]
Hello
10 Sep, 04:46 AM [NY time]
I need help with decrypt my data
10 Sep, 04:46 AM [NY time]
To decrypt your files you have to purchase the decryption software. It costs $15m for you.
10 Sep, 04:57 AM [NY time]
This is too hiigh a price. Give me proof that the price is adequate for the data you have.
10 Sep, 05:20 AM [NY time]
First of all, can you introduce yourself, state the company name and your position in it.
10 Sep, 07:13 AM [NY time]
I am a spokesperson for the company and I will sell the information to my customer. Because this is not secure communication, I do not want to state the name of the company and I assume that we will delete this chat after the meeting.
10 Sep, 07:25 AM [NY time]
I am authorized to communicate with you on behalf of the company and to establish conditions that will be acceptable to both parties.
10 Sep, 07:26 AM [NY time]
First of all, I would be happy if we set a price that is negotiable. Next, it would be good to submit information about the data you have in your possession so that we can consider paying the ransom and start negotiating the price.
10 Sep, 07:29 AM [NY time]
We have the doubts you are from company we need the proofs that you are from there.
10 Sep, 07:29 AM [NY time]
So how can you prove it?
10 Sep, 07:30 AM [NY time]
I can't prove it. We're gonna have to trust each other.
10 Sep, 07:33 AM [NY time]
If you want to pay, then this is the only way to come to an agreement. So that emotions are not used in the negotiations, I am here as an intermediary. My client doesn't want to negotiate, even though it seems to be the only option. Although they have backups, but the restoration will take some time, so I would like to negotiate an adequate price.
10 Sep, 07:36 AM [NY time]
You cant prove it because you don't know it. This is just confirmed our doubts have a nice day.
10 Sep, 07:35 AM [NY time]
We are a protected society and I cannot afford to openly write who it is. I only know the owner of the company who owns several companies.
10 Sep, 07:37 AM [NY time]
If you do not want to cooperate, then I will pass this information on to the customer and the media to make it obvious that BlackMatter are a group of crooks.
10 Sep, 07:43 AM [NY time]
This is ridiculous, you can prove it in hundreds different ways, without compromising so called “privacy”.
10 Sep, 07:43 AM [NY time]
Give an example.I only know the owners of the companies.
10 Sep, 07:46 AM [NY time]
To start a cooperation, we have to know with whom we a dealing and you failing it. So far you looks as some boring guy who got a sample from virus total and obtained the chat link.
10 Sep, 07:46 AM [NY time]
They found this file in their system and that's why I came to your page C:\[redacted].README.txt
10 Sep, 07:48 AM [NY time]
You can upload the company’s letterhead, you can tell to us domain controllers name, name of backing up software it is just a few)
10 Sep, 07:49 AM [NY time]
Actually I don't have much time to deal with authorization. I want to help the customer and negotiate the terms of cooperation. Just because anyone can watch this chat, I don't want to share any information and prove that I am who I am. Do you want to negotiate the price?
10 Sep, 07:50 AM [NY time]
So far it looks as your main objective is to f*ck with us)
10 Sep, 07:52 AM [NY time]
The environment is isolated and analyzed by the forensics team and the police. I can't interfere with the investigation, and all the documentation has been encrypted, as the customer told me.
10 Sep, 07:52 AM [NY time]
I certainly don't feel like fucking with you. I want to talk and get this thing resolved as soon as possible.
10 Sep, 07:53 AM [NY time]
Here we go again, to negotiate with whom with some random Joe?
10 Sep, 07:53 AM [NY time]
Ok, this is simple prove you are from company or just go grab another sample from VT.
10 Sep, 07:54 AM [NY time]
Yes, let's talk about price and what you get for our data. Then we can discuss the price of the decryptor.
10 Sep, 07:55 AM [NY time]
What is VT?
10 Sep, 07:56 AM [NY time]
Oh [redacted] you so clever) virustotal.com
10 Sep, 07:56 AM [NY time]
Oh, I see. So how do we do it?
10 Sep, 07:59 AM [NY time]
You have the options
1. Internal windows domain name.
2. Domain administrators name.
3. Backup software name.
This information aren’t locked by encrypting software or police)
10 Sep, 07:59 AM [NY time]
1) [redacted]
10 Sep, 08:04 AM [NY time]
2) administrator
10 Sep, 08:04 AM [NY time]
2) administrator
this is too generic give us another one
10 Sep, 08:06 AM [NY time]
[redacted]
10 Sep, 08:08 AM [NY time]
Ok, John thank you. So you see the price, you need to pay it.
10 Sep, 08:12 AM [NY time]
Are we really not? This bill was sent to me by their owner. I'm gonna look like a fool if we don't agree on a price.
10 Sep, 08:16 AM [NY time]
Your English is too sophisticated for me, can you try again)
10 Sep, 08:19 AM [NY time]
Are we really not? This account was sent by their owner. If we don't make a deal, I'm gonna look like an idiot.
10 Sep, 08:22 AM [NY time]
I don't speak English, so I translate automatically.
10 Sep, 08:23 AM [NY time]
You see the demanded price. If you’ll pay it you will get.
1. The decrypting tools.
2. Your data back (we took 1.5TB, PII, NDA, emails, MSSQL databases)
3. A file tree.
4. Explanation how the company was breached.
10 Sep, 08:31 AM [NY time]
The price is not adequate. Give me a price I can pass on to the owner of the company.
10 Sep, 08:40 AM [NY time]
We have no idea what a price is adequate for you. We can make 10% discount for fast payment and remove 25% BTC transaction fee. Make the offer. But to make it simple we will not consider the offer less than 7-figure number.
10 Sep, 08:46 AM [NY time]
Our idea was $500,000, but we can negotiate a price of $1,000,000. Give us proof that there is information sensitive enough to be of such value.
10 Sep, 08:50 AM [NY time]
Do you want me upload a sample with office documents? The emails and sqls are too big but we have them all.)
10 Sep, 08:53 AM [NY time]
One more detail we know the company doesn't have the backups. Rubrik is gone)
10 Sep, 08:55 AM [NY time]
We have offline backups. Ok show me the office document and a screenshot of the database.
10 Sep, 09:03 AM [NY time]
Do you also have the passwords of the domain users? Give me a screenshot.
10 Sep, 09:04 AM [NY time]
You have tapes for [redacted] but they are useless without software.
10 Sep, 09:05 AM [NY time]
This is the screenshot for DA hashes and passwords.
https://ibb.co/[redacted]
10 Sep, 09:09 AM [NY time]
We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible. What databases do you have?
10 Sep, 09:13 AM [NY time]
Yo can get the sample by following link.
https://privatlab.com/m/v/[redacted]
We will not make DB screenshots too much work.
10 Sep, 09:14 AM [NY time]
We have dbs from
[redacted]SQL
SQL2014Test
[redacted]SQL1
[redacted]-SQL
[redacted]-SQL
10 Sep, 09:17 AM [NY time]
Data in databases should be encrypted. Just because you have database servers doesn't mean anything.
10 Sep, 09:22 AM [NY time]
Should or is? )
10 Sep, 09:25 AM [NY time]
According to IT, it should be. Let's make a deal like this. If the data in the database is encrypted, we'll pay you $100,000 to decrypt it for us. If the data in the databases is not encrypted, then we'll pay you $700,000. $700,000 is the price we have to invest in recovery, and if the recovery with the decryptor is faster, then we'll save money on service outages.
10 Sep, 09:29 AM [NY time]
To complicated, we said what will provide if we’ll agree on price. $700k is unacceptable.
10 Sep, 09:42 AM [NY time]
Okay, then the price is $1,000,000 if the data is readable.
10 Sep, 09:47 AM [NY time]
Without any conditions, you are paying for decrypting tools and fast recovery, the data is collateral. You will not recover so easily without decryptor. We can do negotiations pretty long; time is on our side. If you are want to finish this fast make the acceptable offer.
10 Sep, 09:54 AM [NY time]
The data you hold is worse for us than having to recover it. The data you hold is worth no more than $1,000,000, which is why we are offering this price. We can restore the data from offline backups (we have tested this). A higher price than $1,000,000 is not acceptable to us. If you don't accept this price, then I need to check with the owner of the company what we will do next and if we can offer more money.
10 Sep, 09:59 AM [NY time]
How you evaluate data’s price can I see a formula?
10 Sep, 10:04 AM [NY time]
You can do incremental and we can do decremental steps, make the offer that we can turn down. 1 is to far away from 15.
10 Sep, 10:12 AM [NY time]
We evaluate it subjectively. We have already written to people about PII, so the reputational impact has already occurred. We're gonna put new passwords in Active Directory. Office documents aren't that valuable to us. The only thing of value is the databases.
10 Sep, 10:16 AM [NY time]
15 is meaningless. I thought 15 was just a number, but not the actual ransom.
10 Sep, 10:18 AM [NY time]
We just checked the random db, data is fine and not encrypted. Have a look.
https://ibb.co/[redacted]
10 Sep, 10:18 AM [NY time]
I understand, but for us only the know-how and customer information in the databases is worth anything.
10 Sep, 10:20 AM [NY time]
I can see it now. Then name a price that makes sense for both sides.
10 Sep, 10:21 AM [NY time]
Nothing sn meaningless, we did a good pentest for your company it has to be rewarded. $1kk is not enough. Do some consultations and come with a better offer.
10 Sep, 10:22 AM [NY time]
One of your competitors was hit the same yesterday if it helps to your feelings.
10 Sep, 10:24 AM [NY time]
If you will offer the good price today we can make a decent discount for you.
10 Sep, 10:25 AM [NY time]
I need to check with the management and the owners. What competitor do you think?
10 Sep, 10:57 AM [NY time]
By the way they offer much more then you.
10 Sep, 11:01 AM [NY time]
I guess they don't have backup.
10 Sep, 11:17 AM [NY time]
You either, you tried to do it on Sunday but you know what has happened.
10 Sep, 11:19 AM [NY time]
We are restoring. I'm gonna go talk to the management.
10 Sep, 11:23 AM [NY time]
https://ibb.co/[redacted]
10 Sep, 11:24 AM [NY time]