No Bitcoin Accepted, Only Monero: Entering Ransom Talks Two Weeks Behind

Summary

The chat logs depict a tense negotiation between the victim and the DarkSide ransomware group following a cyberattack that resulted in data exfiltration. DarkSide demanded a ransom of $600,000 for decryption and data deletion, with threats to publish the stolen data if payment was not made promptly. The victim, a small company, expressed financial constraints and sought to negotiate a lower payment. After several exchanges and discussions about financing options, the victim negotiated down to an offer of $250,000. They secured a commitment from a lender and aimed to pay using Monero by the 27th. DarkSide reiterated their threats of data publication if contact was not made within 24 hours (full chat logs included).

Audio Overview

0:00

/299.208

1×

Important Facts

• Ransomware Group: DarkSide
• Data Exfiltration: DarkSide claimed to have fully dumped the victim's network and provided links to proof of stolen data.
• Restoration of Files: Promised decryption of the victim's systems, deletion of stolen data, and two days of support following payment.
• Data Leak Threat: DarkSide threatened to publish the stolen data and escalate attacks if payment was not received within 24 hours.
• Duration: The negotiation spanned several days
• Total Messages: 46

Key Events

1. Initial Contact and Ransom Demand:
   The victim reached out to DarkSide after discovering their network was attacked. DarkSide demanded $600,000 for decryption and removal of stolen data.
2. Threat of Data Publication:
   DarkSide threatened to publish the victim's data if payment was not made promptly, escalating the urgency of the situation.
3. Victim's Financial Limitations:
   The victim explained their inability to meet the initial ransom demand and requested more time to secure funding options.
4. Restoration of Files:
   DarkSide committed to providing decryption services, deleting stolen data, and offering two days of post-payment support.
5. Attacker's Reaction:
   DarkSide insisted on urgency in negotiations, reiterating their terms and emphasizing that they were only interested in payment.
6. Continued Negotiation:
   The victim proposed several offers while negotiating for a lower price and sought proof of stolen data to strengthen their position with lenders.
7. Final Agreement:
   After extensive discussions, the victim secured a commitment from a lender, negotiated down to an offer of $250,000, and planned to pay using Monero by the 27th, confirming terms with DarkSide for decryption and data removal.

Full Chat Logs

Victim: "Is this support?"

Attacker: "Yes, of course what's ups?"

Attacker: "Tomorrow we will publicate your data."

Victim: "Tomorrow? We just got more information on this because IT didn't tell us about this site. We want to learn more about your offering."

Attacker: "Tomorrow, of course, we done attack week ago, you didn't came online, tomorrow we will add local mass media, and attack your infrastructure by IP. that's our plan, on today, because you didn't start dialog with us."

Victim: "We didn't even know what was going on and we were misinformed. We can't pay by tomorrow since we're just learning about this. Can you give us more time so that we can handle this appropriately?"

Attacker: "Your price is settled up, you are small client for us. Make your choice today - you will be listed, or close question with us."

Attacker: "In case of close question nobody will know about this issue."

Victim: "We can't pay $600,000 by tomorrow. We're not sure what we can pay but we will certainly see what is available. Can you show us some data that you have?"

Victim: "Do we have your word that you will not list us tomorrow?"

Attacker: "We have full dumped your network by data, of course we can show."

Attacker: "After payment you will get full file tree of stolen data."

Attacker: "After payment you will get: decrypt your system (network) file tree of data, and I will explain your black holes, (network audit) discount we can't make, sorry. You came too late on dialog, that's your problem."

Attacker: "We will not list your tomorrow, in case of agreement."

Attacker: "Sorry that's our business, we are only interested in to take money."

Victim: "Okay, that is understood, but can we see anything that you have taken?"

Attacker: "You are very small client, see your infrastructure, after agreement and payment 1) we will decrypt instantly your network 2) if you need - provide file tree, with all taken files 3) delete data from our servers."

Attacker: "Some random files for proof: https://www.redacted.com/file/[redacted] https://www.redacted.com/delete/[redacted]/c5421cf9271e05e7b323e000d9283ec8 pass: [redacted] Don't waste our time, how we don't wasting yours. Rules for all clients same."

Victim: "We're not here to waste time. We're sorry for joining late. We'll review and get back to you."

Attacker: "Files were randomizded."

Attacker: "When will be done payment?? Or We should continue attacks?"

Victim: "We are still reviewing the information. We only found out about the $600,000 price. Our intention is not to push this to the side, but we need some time to figure out what we can afford. This is the first time we are dealing with this type of issue."

Attacker: "What's your offer?"

Attacker: "I know your resources very well, after your offer I will explain you what is what."

Victim: "We have a meeting set for tomorrow morning to discuss finances. Can we get back to you in the morning?"

Attacker: "Yes, price you can see, I don't know about you want to talk, search money. and we will do things, in other case we are not interested in dialog."

Attacker: "Money money, can help you."

Attacker: "Don't waste your time, as ours. It's not our policy how we work, if you have money, we can talk, if you don't have, then we can go by sides. We don't work like this."

Attacker: "Price you can see in your administration panel."

Victim: "Yes, but we will get back to you in the morning after the meeting. Is this okay?"

Attacker: "Yes, OK."

Victim: "As promised, we spoke today and can make an initial offer. It's been a tough year for us and we're a tiny company. We hope you can see that. Based on a few loans we received, we can pay you $110,000. If this price is not suitable, then we'll need to look at outside sources for cash. We're a small shop and don't have access to easy funding."

Attacker: "Then if your business doesn't give you profit, you should think about closing business like this."

Attacker: "We can do our best, give you some discount, but not big like you want."

Victim: "We just need a price we can afford. What type of discount can you give us?"

Attacker: "10%."

Victim: "So $540,000?"

Victim: "If that's the case, then we really have a lot of work to do here. We can't take on so much debt considering our size."

Victim: "Are there any other files you can provide us so that we have more bargaining power with lenders?"

Attacker: "We have already given files and a good discount."

Victim: "You're asking 5x more than what we can afford to pay. We're putting ourselves on the line and potentially in more debt as we speak with lenders. We can't take all this on if we don't know what we're paying for. All we need is some help from you."

Attacker: "Last evidence pack, other requests will be regarded as a waste of our time. The package contains a variety of documents from different directories ------- 457 Megabytes Download: https://bashupload.com/JrSuB/[redacted].rar Password: FKL59MBY}c?Uox~d$4QCNnVAE0@yOvmC"

Victim: "We're looking. Thanks."

Victim: "We see the data but we can't just print money and pay. We really need a few days to see what other funding options we have. Can we get back to you early next week with our options?"

Attacker: "OK."

Victim: "Thanks."

Victim: "We will have more news for you later today."

Victim: "Your price is still not possible for us but we do have a better offer for you. We have an initial agreement with a funding source and can pay you $200,000. You are asking a lot from a company of our size and we are giving you all we can. Please let us know."

Attacker: "Thanks for your offer, last what we can offer - is change price right now to $250,000 USD, and you will pay money in 24 hours, other offers we don't have because time costs money. We are doing very big discount for you. After payment you will get - full decrypt of your systems, and we will delete all your data from our servers."

Victim: "Yes, this is a very big discount indeed. It's still more money than what we have but we'll get back to you ASAP tomorrow once we review. Thank you."

Attacker: "We pleasure your opinion - tomorrow we're waiting payment from your side. Discount is very big - we never do discounts like this - we work on mathematical algorithms. As well this discount was decided by team - it's not agreement by one person. We done our best. We changing price right now; tomorrow we're waiting for payment."

Attacker: "Refresh page, price changed - tomorrow we're waiting for money. Good luck."

Victim: "We held an emergency meeting. The lender was not happy but they are discussing this and they understand the urgency. We told them that we need to hear from them today but they have to get their own approval first. Can we reach out to you tomorrow with their decision? We really don't want to let this slip away."

Attacker: "We told our rules; please guys be serious; situation by your side, not by ours. We already got agreement in our team about price which we've done; it's a very good discount; we know that in your hands there is possibility to pay amount of money which we've got agreement on. Price was settled up; you can start paying by parts; it's not a problem."

Victim: "We completely understand. We just can't commit to a price until we speak to the lender because they're in control of the money. They'll have news for us tomorrow."

Victim: "Alright. The lender agreed! They're going to wire us the money tomorrow and our bitcoin broker will be able to pay you early next week. Can you confirm what we'll receive from you?"

Attacker: "Your payment currency is XMR (monero) not bitcoins."

Victim: "Can you confirm what we will receive from you?"

Attacker: "Yes. - Windows decryptor. - Deleting data and blog post. - Support for 2 days after decryption."

Victim: "Okay, we will be able to pay monero next week."

Attacker: "What date?"

Victim: "Aiming for the 27th."

Attacker: "Ok."

Attacker: "If you don't contact us within the next 24 hours we will publish your data."