Ransomware negotiation(s) with
fog
Hello, we found several of our systems encrypted with your ransomware. Can we talk about resolving this?
Friday, 27 September 2024 13:24:06
hi
Friday, 27 September 2024 14:06:37
I will give you details soon and we will talk
Friday, 27 September 2024 14:07:03
[provides a compressed RAR files list]
this is what's been taken
Friday, 27 September 2024 14:15:28
We will need some time to take a look at this. In the mean time how would we get our systems decrypted?
Friday, 27 September 2024 16:36:06
when you pay you receive decrypter to fix your systems
Friday, 27 September 2024 22:14:03
I will tell you the price for decrypter soon
Friday, 27 September 2024 22:14:25
How much would the decrypter cost? Can you confirm that our files would be deleted from your servers and that you will not publish our name or share the data?
Sunday, 29 September 2024 19:12:47
yes I can confirm your files will be deleted and your name will not be published
Sunday, 29 September 2024 20:55:39
I will tell you price soon
Sunday, 29 September 2024 20:56:09
If you want your data fully decrypted and the files we stole removed from our source, you will have to pay a fee. We will also be able to provide a security report and explain how we did it to get in. The bosses are demanding $800,000 for said services.
Tuesday, 01 October 2024 11:24:46
Do we work?
Wednesday, 02 October 2024 12:47:10
$800,000 is too high. We are looking to reach an agreement and can offer $150,000 to get this finished quickly.
Wednesday, 02 October 2024 15:17:22
There's no way we're going to agree to that amount. I don't think we can even give you a $150,000 discount. our demand is more than reasonable in your case. I will talk to the bosses
Wednesday, 02 October 2024 15:47:34
bosses agreed to take 715k for everything
Wednesday, 02 October 2024 20:15:53
How do we know the decrypter will work? Could you decrypt some files for us so we can be sure this will work on our systems
Thursday, 03 October 2024 16:10:09
yes
Thursday, 03 October 2024 16:13:58
give me a few
Thursday, 03 October 2024 16:16:09
[provides a zip archive of files to decrypt]
there are a few small encrypted files in here
Admin 18:46:52
give me some time
Friday, 04 October 2024 08:16:51
[provides 5 decrypted files]
Friday, 04 October 2024 09:57:54
Thank you. Our business isn't doing as well as we used to and we don't have insurance to cover this. We can't afford anywhere near that amount. We would still like to resolve this, but it needs to be close to our previous offer
Saturday, 05 October 2024 13:54:06
I cant close the case at your previous offer
Saturday, 05 October 2024 16:35:23
you need to add something to your offer
Saturday, 05 October 2024 16:36:35
Cash is really tight for us, we are doing all we can but can only raise our offer to $175,000.
Monday, 07 October 2024 10:39:33
I talked to the bosses. $500,000 and we can end this today. I don't think that you will get any better deal
Monday, 07 October 2024 11:30:12
We simply cannot afford that. We have rebuilt most of our systems without the decrypter. Can we agree at $200,000 today?
Tuesday, 08 October 2024 15:27:22
bosses agree to take 350k today
Tuesday, 08 October 2024 16:09:59
this is the best bet price for the situation
Tuesday, 08 October 2024 16:10:24
tell me when ready to make payment
Tuesday, 08 October 2024 16:10:51
just take one last step, and we'll put this behind us.
Tuesday, 08 October 2024 22:09:49
bosses can take one last step and decrease to 300k. the wallet is [redacted]
Tuesday, 08 October 2024 22:14:01
hi
Wednesday, 09 October 2024 19:05:01
are you leaving me?
Wednesday, 09 October 2024 19:05:12
tell me should I wait the money today or what
Wednesday, 09 October 2024 19:06:14
I need your decision guys.
Thursday, 10 October 2024 11:40:41
this week we have to close your case
Thursday, 10 October 2024 11:40:56
We can't go that high, we can offer $225,000
Thursday, 10 October 2024 16:40:18
I can't take 225k
Thursday, 10 October 2024 18:42:18
confirm 250k to me and I will make my bosses take the offer 250k
Thursday, 10 October 2024 18:43:06
we can do that today only
Thursday, 10 October 2024 18:43:25
hello. what is your decision?
Friday, 11 October 2024 12:00:52
ok we will pay $250,0000, can you confirm you will provide a decrypter and you will delete all our data? We will need some time to arrange the payment
Friday, 11 October 2024 14:52:25
I can confirm that you will receive the .exe files that you will need to run on your systems (win or esxi) to decrypt your files. We guarantee that you will be able to recover all the encrypted data. We will give you a deletion log file which means the files we stole .were removed from our source.
Friday, 11 October 2024 15:48:03
Please let me know when the money has been sent
Friday, 11 October 2024 15:49:09
hi
Saturday, 12 October 2024 10:15:05
can you tell me when are you going to make payment?
Saturday, 12 October 2024 10:15:34
we are sending a small amount to check it works ok. Can you confirm when you receive it?
Monday, 14 October 2024 18:36:15
yes send please
Monday, 14 October 2024 18:58:26
I received 0.0001 btc. you can send the full amount now
Monday, 14 October 2024 20:46:27
we are arranging the bitcoin for the full amount and will let you know when we are making the payment
Tuesday, 15 October 2024 14:53:17
waiting, thanks
Tuesday, 15 October 2024 15:03:10
we've sent the payment
Tuesday, 15 October 2024 17:27:42
[provides the decryptor in a 7zip compressed file]
Windows
unlocker.exe -nomutex -console -target \\SERVER\C$
unlocker.exe -nomutex -console -target C:\
Esxi \ LINUX
chmod +x unlocker_key
./unlocker_key --id [redacted] --log --target "/vmfs/volumes/"
Admin 18:20:08
Hi, we are working through recovering our systems but we cannot access our domain controller as you have changed the administrator password. Please could you tell us what the password for the domain administrator account was changed to?
Monday, 21 October 2024 09:51:08
all domain admins passwords "gotochatplease"
Monday, 21 October 2024 09:56:03
Can you still provide us a report on how you got access into our network? Also can you confirm you have deleted all our data now?
Wednesday, 30 October 2024 09:17:47
I will tell you soon
Wednesday, 30 October 2024 10:07:59
Do you have any update please?
Monday, 04 November 2024 09:10:19
You data has been deleted. Access to your network was gained through a phishing mail. Your staff should be more vigilant when downloading and opening unfamiliar files. We recommend that you implement the following measures to protect your corporate network:
1) Enforce passwords on local and domain admins. Complicate group policy on passwords for all users;
2) Using the group "Protected users";
3) Use centralised management of antivirus protection;
4) Inform users not to open suspicious emails and files;
5) Updating software and OS to current versions;
6) Set up permission delegations in the Active Directory;
7) Install an application to monitor activity in the Active Directory;
8) Use Vmware Esxi ver. 7.0 or more current.
Our team guarantees that any data taken from your network will not be disclosed, sold or published. Of course, this dialogue will also remain confidential.
Monday, 04 November 2024 10:14:29
This information is provided by Valéry Marchive & Julien Mousqueton
