Inside Black Basta: A Ransomware Negotiation Revealed

Here's a detailed breakdown of a negotiation between a victim and the ransomware group Black Basta. This conversation illustrates the complexities of ransomware interactions and the demands made by attackers.

Audio Overview

0:00

/627.264

1×

Important Facts:

• Ransomware Group: Black Basta
• Data Exfiltration: 540GB of sensitive data
• Initial Ransom Demand: $2,750,000
• Discount Offered: 25%
• Data Leak Threat: Publication of stolen data on the attacker's "news board" if an agreement isn't reached.
• Promises in Exchange for Payment: Decryptor, data deletion, security report, no future attacks.
• Ransom: NOT PAID

Timeline of Events

• Initial Contact:
  The victim discovers a ransom note from Black Basta and initiates communication through the provided contact method.
• Data List Confirmation:
  Black Basta confirms the exfiltration of 540GB of sensitive data and provides a link to a list of stolen files. 
• Proof of Possession:
  Black Basta provides the victim with sample files as proof of the data breach and their decryption capabilities. 
• Decryption Test:
  The victim sends three encrypted files to Black Basta for a decryption test. The attacker decrypts and returns the test files successfully. 
• Chat Downtime Troubleshooting:
  After several days of no communication due to the chat being down, Black Basta accuses the victim of delaying negotiations. The victim reassures them that there was no intentional delay, and communication resumes.
• Negotiation of Ransom:
  Black Basta sets a ransom demand of $2,750,000 and warns that stolen data will be published if an agreement is not reached within 10 days. The victim requests additional time to improve their financial position.
• Price Adjustment Offer:
  Black Basta offers a 25% discount if payment is made by the following Monday, but the victim explains they need more time, requesting an extension until Friday. Black Basta agrees, extending the deadline to Friday while threatening to publish the data if the proposal is unsatisfactory.
• Deadline Missed:
  After the deadline passes, Black Basta informs the victim that their time has expired and begins preparations to publish the stolen data

Original chat logs

Attacker:
Do you need a private chat?

Attacker:
This chat can include people from your company (your employees, for example), as they may have found the note on their computers. In order to avoid leaking our conversation, we can create a private chat for you. Do you need it?

Victim:
Where would this private chat be and what is wrong with talking here? What is this about and did you take our data?

Attacker:
We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 540GB of sensitive information and data from your network. Check your page in our blog. Right now we're keeping it secret. However, if we don't come to an agreement within 10 days, it'll be posted on our news board. We will let everyone who wants to connect to your network and get all the necessary data from you. Decryption price is $2,750,000. In case of successful negotiations, we guarantee you will get:

1. Decryptor for all your Windows and Hyper-V machines;
2. Non-recoverable removal of all downloaded data from our side;
3. Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.

Hope you can correctly assess the risks for your company.

Attacker:
https://[redacted].txt This is the full list of your taken data.

Attacker:
You can choose from this list any 3-5 file names, and I will send them to you as proof. But files should not contain important information.

Victim:
Thank you for providing the list. My leadership and IT team are currently reviewing it. It is a large list, and it will take some time.

Attacker:
Okay, we'll be in touch.

Victim:
Just making you aware it is a holiday here. When my team selects the file names, we will send them.

Attacker:
Okay, we are in touch.

Victim:
Thank you for your patience.

Victim:
[redacted].pdf // [redacted].docx \ [redacted].csv // [redacted].xlsx // [redacted].tif

Victim:
Here are some file names.

Attacker:
https://[redacted].rar

Attacker:
Your requested files.

Victim:
Thank you for providing those. I will have my IT and Leadership team look over these.

Attacker:
Okay, we'll be in touch.

Victim:
Understood. No one is in the office today since it is Sunday. We will reach back out to you on Monday.

Attacker:
Okay, we are in touch.

Victim:
We have reviewed the files. How does your decryption process work? Do you send us one decryptor that restores all our systems, or do you send decryptors for each system affected?

Attacker:
I can restore all your systems and data into the original state. We can easily check it. You send me 3 encrypted files, I decrypt them and send them back to you. But these files should not contain important information.

Attacker:
After payment, you receive one decryptor that restores all your systems.

Victim:
Thank you for the information. We will work on getting some files to send you. How long will it take us to restore once we receive your tools?

Attacker:
Recovery time depends on the size of your system. Usually takes about 1 day.

Victim:
We appreciate you answering our questions. I am still waiting for the files to test. When you say you will bring our systems and data to their original state, does that mean you guarantee that your tool will work on everything?

Attacker:
We think that you are simply delaying the time, and there is nothing to discuss. We have given the proof of the availability of files, we can also decrypt several encrypted files as a test for demonstrating our decryptor tool. That's all the discussions. Then you must pay the required amount, and we'll provide the program and help restore all your systems and data; also we'll delete all your data and send the deletion log.

Victim:
There was no delaying in time; your chat has been down for several days. We have files for you.

Victim:
Download file: [redacted].docx

Victim:
Download file: [redacted].docx

Victim:
Download file: [redacted].docx

Attacker:
Download file: [redacted].docx

Attacker:
Download file: [redacted].docx

Attacker:
Download file: [redacted].docx

Victim:
Thank you for this. It is Sunday, and that means no decision makers are here. We will be back in touch tomorrow.

Victim:
My leadership and IT team are currently reviewing the files.

Victim:
We have reviewed the files. Thank you for letting us test your decryption tool. A question has come up from my leadership. Will you provide assistance during the decryption process if we need it? How long will you keep the chat open?

Attacker:
We will give you full support during the decryption process if you need it. Chat will be open until we have fully fulfilled our obligations.

Attacker:
Also, after payment:

1. You receive decryptors (Windows and Linux OS).
2. Your page will be totally deleted from the blog.
3. ALL your data will be deleted from our server, and you will receive the full deletion log.
4. You will get a penetration report and recommendations on how to avoid such situations in the future.
5. You receive the guarantee that our team will never attack you again.

Victim:
Okay. Thank you. I will take this to my leadership. We appreciate you answering our questions.

Attacker:
Okay, we'll be in touch.

Attacker:
Any updates?

Victim:
We appreciate you working with us and answering our questions. You are however, asking us to pay you a lot of money and we need time to place ourselves in a better financial position to reach an agreement with you. My leadership team is set to meet and discuss this in its finality next Thursday. If you could give us time from now until Friday morning to work hard to place ourselves in a better position, it would show a lot of good faith between us. We were also wondering if there were any discounts available to us so that I could bring that to my leadership during their meeting.

Attacker:
You had a lot of time. You have time until Monday. If your proposal does not satisfy us on Monday, we will start to publish your data on Tuesday and delete the chat.

Attacker:
We will take a step towards and make a 25% discount from the initial cost if you pay next week.

Victim:
We appreciate the 25% discount and I will bring that to their attention. Monday is not enough time for us to put ourselves in a better financial position to reach what you are asking. Due to the time of year it is difficult to get all of the leadership together to meet on this. Thursday is the earliest they can all meet so they can all be on the same page with this situation. We are trying to work with you, and we need you to work with us.

Attacker:
Sir, you see that we try to act as businessmen who like their business. We are patient, but we need to clearly understand how much time you need to be ready to pay. We can't wait forever.

Victim:
We understand, and we need until Friday due to our leadership all meeting on Thursday evening so that they can all be on the same page.

Attacker:
Okay, you have time until Friday. If your proposal does not satisfy us on Friday, we will start publishing your data on the weekend.

Victim:
Thank you. We will reach out to you then.

Attacker:
You made your choice. Your time has passed; we are preparing your data for publication.

This negotiation explores the complexities of dealing with ransomware gangs and stresses the crucial need for strong cybersecurity measures to protect against their sophisticated attacks.