Sign in Subscribe

No Decryptor Needed: A Conti Ransomware Negotiation

Sean

12 min read
No Decryptor Needed: A Conti Ransomware Negotiation

The chat logs show a back-and-forth between a small business that got hit by a ransomware attack and the group behind it, known as Conti. After the attack, the company’s files were locked up, and Conti started off by asking for a hefty $900,000 to unlock them. They have threatened to leak the stolen info if their demands weren't met. The business, not having that kind of cash on hand, shot back with a much lower offer of $55,000, which Conti turned down. 

Then things took a turn when the business said they’d managed to get their files back on their own and didn’t need the decryption tool anymore. Even after that, Conti kept pushing for the ransom. After a few back and forth offers, they finally settled on $325,000 in smaller payments, with the promise that they would delete the data and not share any of the stolen info. This whole situation really highlights how tricky and intense these ransom negotiations can be (full chat log below).

audio-thumbnail
Audio Overview
0:00
/470.664

Important Facts:

  • Ransomware Group: Conti
  • Data Exfiltration: Yes, the attackers confirmed that they had stolen files in addition to encrypting files on the victim's network.
  • Restoration of Files: The victim communicates that they have restored their files and no longer require the decryptor.
  • Data Leak Threat: The attackers threatened to publish the victim's data if payment was not made, and indicated they would start publishing information if negotiations fell silent.
  • Ransom: PAID
  • Duration: 18 days
  • Total Messages: 130

Key Events:

  1. Initial Contact and Ransom Demand:

The victim reached out for help after discovering their files were encrypted. Conti responded, demanding $900,000 for the decryption of the files.

  1. Threat of Data Publication:

Conti threatened to publish the stolen data if the victim did not comply with their demands, indicating the urgency of the situation.

  1. Victim's Financial Limitations:

The victim communicated their inability to meet the initial ransom demand due to their status as a small business. They offered a counter-proposal of $55,000, which was rejected by Conti.

  1. Restoration of Files:

The victim eventually claimed that they had restored their files independently and no longer needed the decryptor. This was a significant turning point in the negotiation.

  1. Attacker's Reaction:

In response to the victim's claim about restoring their files, Conti dismissed the statement and continued to pressure the victim for payment, threatening publication of data if no reasonable offer was made.

  1. Continued Negotiation:

The negotiation continued with the victim making several counter-offers while emphasizing their financial constraints. After multiple back-and-forth exchanges, both parties agreed on a final ransom amount of $325,000.

  1. Final Agreement:

The victim and Conti agreed on the terms, with the victim committing to pay $325,000 in installments for the promise of data deletion and assurance that the stolen data would not be published.

Original Chat Logs:

Victim: Hi, we got a note to go to this website. Please help!

Victim: hello?

Attacker: Welcome! We are ready to help you.

Attacker: Welcome! [redacted]

Attacker: You need pay for decrypt your files. Your price is 900.000$.

Attacker: Your network was hacked, workstations encrypted and we downloaded many private information from your servers. Note that we have also downloaded a lot of data from your network that in case of not making payment will be published on our website. You need to pay this amount and we will give you decryptor for all your network, file tree on what we have downloaded from your network and wiping log of that information. If you will spend 3 days in silence we will start publishing the information.

Attacker: We will also try to find a buyer for your data and access to your network if you refuse to pay.

Victim: Hi, thank you for the message I will tell leadership.

Victim: Hello, I spoke with leadership and they told me that they can't afford that amount, and they are still trying to find bitcoin. They said they would pay $55,000 if you would take that, they have someone with that much bitcoin now.

Attacker: While you continue to communicate with scripts and offer such ridiculous amounts, do not expect in response an adequate price reduction. Reputation is expensive.

Victim: I have no idea what that's supposed to mean. I'm just relaying what they can pay now. If you can't take that then say so and I'll tell them.

Attacker: Your offer has been rejected. Make a realistic offer based on our offer.

Victim: Ok I've let them know. Leadership would like to know what data you stole from us, can you show us proof?

Attacker: Expect a lot of evidence.

Victim: Will you please stop with the sarcastic responses? I will be as blunt as you are, although more to the point: do you want to get paid? If so, then let's treat each other with respect and work a deal out. Otherwise you are wasting both of our time, this will go nowhere, and you can trust that I will let everyone know how unprofessional Attacker is. This will have severe impact on your ability to be trusted, collect any future ransoms, etc. Maybe you don't care, but I promise it will be known if you continue to act in bad faith. I would like some evidence that you have our data, our leadership team and I think this is a reasonable request. Please respond with something useful to the conversation. Thanks.

Attacker: You'll get them, wait. That's all we said. Everything will be OK. We'll get you a package of evidence. Wait.

Attacker: [redacted]_PROOF.7z [ 1.2MB ]

Attacker: [redacted]_NTLM [ 58kB ]

Attacker: [redacted]_HOSTS.csv [ 61kB ]

Attacker: 30%tree[redacted].txt.7z [ 146kB ]

Attacker: We will send you 30% of the file tree, you will select any 3 pcs of non-sensitive information and we will provide them to you as evidence.

Attacker: IT'S YOUR TURN TO PROPOSE. Your information has not been sold to anyone. Until we communicate with you, this will not happen. Let us have a more active and substantive conversation. About the money!

Victim: Can you provide the password that we need to open the .7z files?

Attacker: Pass: 123123

Victim: Thank you, we've reviewed the files. The leadership team has found another $10k to pay you, will you accept $65k for the decryptor and to destroy our files?

Attacker: Your offer has been rejected. Make a realistic offer based on our offer.

Victim: Hi, thank you for the response, I will let the leadership team know.

Victim: Hi, I relayed your message to our leadership. They responded that your offer is not realistic, there is no way for them to get that much money to pay you, that you should consider they are a small business and you should ask a small business size ransom. They may be able to get more money to pay you but nothing like what you are asking. It is just a fact. They ask if we could discuss something more realistic?

Victim: We do not have cybersecurity insurance, we are having to scrape together money that was budgeted for other projects. You've already hurt the business enough with the disruption, but to ask more for ransom means you hurt us a second time. Please consider that and let us pay you the $65k that we have available so we can all get back to normal.

Attacker: 65.000 and 900.000 why do you think we should agree to 1/14? Your proposal is not even close to what you can talk about and think about.

Attacker: Your offer has been rejected. Your offer should be reasonable and based on our offer!

Victim: We would like to purchase 1 computer. Using your math above, we can pay you 1/500 of $900,000 for each computer, which is $1,800. We will also pay $55,000 if you provide deletion and file tree. Can you sell us 1 computer unlocked? If this works maybe we buy more. Also you must provide evidence of deletion and file tree. This for $56,800.

Attacker: The decryptor works for the entire network. We have no offer for one computer. We expect a reasonable offer from you before the end of the week; if the offer does not come from you, we are forced to start publishing. But we are ready to take steps to meet. Our offer given your offer is $800,000.

Victim: Hi, we would appreciate you removing the deadline you just set. In our opinion, deadlines are a bad idea. We have nothing to negotiate with you until the deadline is removed. We simply want to be able to discuss options and think through the best course of action without the added stress of a countdown. We would appreciate the professional courtesy.

Attacker: And we would appreciate it if you stopped making funny suggestions. In our view, this is a bad one and leads you to publish. We have nothing to negotiate with you until a reasonable amount is offered based on our offer. We do not want to discuss funny values. Will be professional and understand what we wrote to you. Read several times if you do not understand the reason for such actions on our part.

Victim: We have confirmed that all of our data has been restored. I can provide you with screenshots to prove this if you need me to. We don't need your decryptor. That said, we are interested in your promise not to disclose our data, and a deletion log, if you are still interested in selling. We offer $127,500 for your promise not to disclose and if you provide us with a file tree/deletion log. This is the maximum amount of cash that we can dedicate to this. We spent the last 4 days finding the extra cash. Awaiting your response.

Attacker: We see a constructive dialogue and take a step towards a meeting. Our new proposal is $700,000.

Attacker: Evaluate our steps. You can negotiate with us. But offering funny amounts is not the best way for you. It leads to publication.

Victim: Let me help you understand something: the only thing of value you possess is your promise not to disclose our data. If you "publish" "publication" or anything else related to this, you will get nothing.

Victim: That is why I suggested that you remove your deadline; it does neither you nor us any good. If you publish because of a self-inflicted "deadline", you will get nothing.

Victim: Now on to the price. Please stop trying to sell me the decryptor. Please let your boss know that we will pay $127,500 for your promise not to disclose/publish and proof of what you took and proof of the deletion of what you took. Standing by.

Victim: Also, it took 22 hours to get a response earlier. This is also another reason why a deadline is a bad idea. Please rescind the deadline so that we may reach an accord; otherwise this will end with zero payment if you disclose.

Victim: [redacted] Confidential Server.jpg [ 32kB ]

Victim: Proof of our data restored/systems operational:

Victim: [redacted] Desktop Screenshot.JPG [ 239kB ]

Victim: [redacted] Development Tools.jpg [ 202kB ]

Victim: [redacted] Domain Controller.JPG [ 70kB ]

Victim: [redacted] VM Console.JPG [ 75kB ]

Attacker: You want to show me your steel eggs? We have stronger ones. Look we're not interested in your funny offer and if you don't offer better, you will be published and this is not communication. You're not the first and we know what smart dialogues look like.

Victim: How much for just deletion of the data? We just need that, your promise and proof that you deleted the data. Can we do business? $155k for that?

Attacker: We see a constructive dialogue and take a step towards a meeting. Our new proposal is $672,500.

Victim: Hi, I understand you are trying to get the most money you can from this negotiation. Here's your dilemma: if you publish, you get nothing, and we only want your promised and proof that you destroyed everything. You are negotiating as if we are still trying to buy the decryptor so we can get our data back.

Victim: We already have our data back.

Victim: We only want to buy your promise not to disclose the data you stole, and proof that you destroyed it. You've already threatened us with disclosing it. This is not "smart dialogues," I'm just stating facts here.

Victim: And the fact is we have very limited money and if you insist on asking us to pay this much, or if you disclose or publish, you will get nothing. Can you please check with your higher ups (boss) and explain to them the situation so that maybe they understand the value exchange we are proposing?

Victim: If we needed the decryptor, I could understand you continuing to ask for the massive amount you're requesting; however, we don't need the decryptor. We just want your promise and proof you've destroyed our data. How much is that worth to you? If we can't get to a number that is realistic and affordable for us, you will get nothing.

Victim: Also, we cannot pay until Tuesday when the banks open again (Monday is a holiday) IF we can settle on a price.

Victim: You threatened us with a deadline at the end of this week. I would appreciate it if you removed that deadline so that we can continue discussing price. Again, if you publish, you get nothing. Standing by.

Attacker: Reputation is expensive; of course $155k is good money but it is still not enough. If you want this dialogue not to last long and resolve the issue quickly, we can make a super offer given that you do not need a decryptor: super offer $400,000 and we agree.

Victim: Thank you for your willingness to work with us on price. As I mentioned, money is in short supply. I have been authorized to increase our offer to $175k with a promise to pay Tuesday for your promise and proof of deletion. Please understand we are not able to offer more and will have to pay in at least two separate payments (1 big 1 smaller). If this is okay, we can agree and prepare everything for Tuesday.

Attacker: You didn't appreciate our offer. When we make such discounts, we expect retaliatory steps from your side as well; otherwise it's just wasting time—our time is expensive! Your price returns to original considering your offer is now $650,000.

Victim: Hi, your withdrawal of the price creates serious confidence and trust issues for our leadership team. We offered all we could in support of your new price; now you've withdrawn it again? We need serious prices only—continuing to dither on price will result in nothing! Please reconsider.

Attacker: We offered you a serious price; in turn, you've shown frivolity by wanting games with us with an increase in offers by $20,000! You didn't appreciate the seriousness of our move; fix it!

Victim: You can characterize our offers however makes sense for your narrative; however, you're holding nothing in your hand right now! If you're looking for productive conversation let’s start at $175k and see where it goes. We have approval processes for money requests; it comes in small increments—just how our leadership operates! If that's an issue then sorry; but remember—you attacked us!

Attacker: Offer of $175k rejected! Make the best offer!

Victim: I will inform leadership.

Victim: Our final super-offer is $250k; we can begin payment today! Standing by.

Attacker: Super offer: $350,000—and we agree!

Victim: Hi! I informed leadership about declining our super-offer along with your new one!

Victim: I’ll return with their response shortly!

Victim: Hi! Leadership replied stating if you're unable at our $250k just for deletion; then please give us the decryptor—destroy our data—promise not disclose it—all for $300k!

Attacker: $325,000—and we agree!

Victim: Ok! I'll inform leadership accordingly! We'll give files proving decryption capability prior payment once approved; can do $150k per day after approval from them!

Victim: Leadership agrees with $325k! We'll begin payments tomorrow; should take till Tuesday completely!

Victim: We'd like file tree from you after partial payment tomorrow; rest post-final payment; let us know if you're okay with that!

Victim: Should wait until final payment for all items; just let us know—but file tree would help now rather than later!

Victim: Please provide payment instructions & address!

Victim: Hi! We're nearing end-of-day on being able make payment today; need payment instructions!

Attacker: BTC wallet: [redacted]

Attacker: Amount: $325,000

Victim: Hi! First payment sent ($150k); next due in 24hrs ($150k); final within further 24hrs ($25k).

Victim: Hi! Second payment sent ($150k); next due in another 24hrs ($25k).

Victim: Can you acknowledge payment?

Attacker: Yes!

Attacker: Waiting on remaining $25k!

Attacker: Two-thirds payments accepted!

Victim: Thank you; next payment today!

Victim: Last payment just sent (third installment): $25k!

Victim: Please provide file tree, deletion log & decryptor once payment confirmed!

Attacker: Wait...

Attacker: [redacted]_decryptor.exe [ 103kB ]

Attacker: Decryptor:

  1. Launch under Administrative rights
  2. Wait till window closes
  3. If any files haven’t changed back extension—repeat steps 1 & 2

Victim: Hi! We'd like file tree & destruction log please!

Victim: Hi! Still waiting on file tree & destruction log!

Victim: Hi! Finished paying Monday; it's Friday—please provide file tree & destruction log!

Attacker: Within 48 hours you'll receive everything; small technical faults.

Attacker: [redacted]_tree.zip [ 589kB ]

Victim: Hi! Thank you for file tree—can please provide deletion log?

Attacker: The deletion's still in progress; you'll receive log as soon as complete!

Attacker: [redacted]_shred.zip [ 6.2MB ]

Victim: Thank you! Now that we've paid ransom amount—would you let us know how breached so necessary precautions could be taken moving forward?

Sign up for more like this.

Enter your email
Subscribe