Non-Profit Charity in Survival Mode: A Ransomware Attack Story

The chat logs shares a conversation that went down between the ransomware group Akira and a non-profit organization that got hit by a cyberattack where their data got encrypted. The attackers asked for a ransom to unlock the data, prove they’d deleted it, and provide a security report. They started off asking for a hefty amount but lowered it after some back and forth. The non-profit asked for a cheaper deal since they don't have a lot of money to throw around because of their charity work and in the end, they settled on paying $100,000. The chat logs show how the talks went back and forth about the ransom, the non-profit’s money troubles, and how the attackers sent over the decryption tools and security advice right after getting the payment.

Audio Overview (Notebook LLM)

0:00

/617.568

1×

Important Facts:

• Ransomware Group: Akira
• Duration: 11 days
• Total Messages: 107
• Paid: Yes

1. Initial Attack and Extortion Tactics:

• Akira initiated contact by informing the victim of data exfiltration and asserting that "dealing with us is the best possible way to settle this quick and cheap."
• They provided a list of stolen files (List.txt, 812 KB) and offered to provide proof of possession and decryption capabilities to build trust (or pressure).
• Akira explicitly stated their intent to calculate a "fair demand" based on the victim's financial information, which they claimed to have accessed ("bank statements, net income, cyber liability limits, financial audits").

2. Victim's Plea and Emphasis on Non-Profit Status:

• The victim immediately highlighted their non-profit mission and the detrimental impact of the attack on vulnerable individuals: "Why would you do this to us? We are a non-profit organization who offers free services for poor and homeless women. This is a terrible thing that has happened to us and you are hurting these women the most by this action."
• They repeatedly emphasized their limited financial resources, stating, "We are a non-profit. We don't have much money" and later, "all of our funds coming in is not income. It is spent on the free services we provide..."
• The victim desperately appealed to the attackers' sense of humanity: "Please consider being more reasonable and think about if one of these women was someone you care about. Someone you love. You have to have some sense of humanity inside you to do the proper thing here."

3. Attacker's Justification and Business-like Approach:

• Despite acknowledging the victim's non-profit status, Akira maintained a business-like approach. They countered the victim's pleas by arguing for the importance of security: "If you care for people and are responsible for them you should protect them."
• They leveraged the fact that they had obtained sensitive information about the people the victim serves: "If you take a look at the list we gave you, you would see what kind of information we obtained about the people you are in charge of."
• They also alluded to the victim potentially having cyber insurance: "But as you have cyber insurance, you can prevent the leak."

4. Negotiation of Ransom Amount:

• Akira initially proposed a $250,000 ransom for a "whole deal" including decryption, data removal evidence, a security report, and guarantees.
• The victim's initial counter-offer was significantly lower at $50,000, which Akira deemed unacceptable ("We can't accept this modest amount for sure. You had to start with 6 figure sums at least.").
• Akira demonstrated some flexibility, stating they would ask "what you can afford" but ultimately aimed for a substantial payment, having reviewed the victim's financials.
• The negotiation involved multiple counter-offers, with Akira gradually reducing their demand from $250,000 to $190,000, then to $170,000, and finally settling at $100,000.
• The victim repeatedly stressed their financial constraints and the potential impact on their services, eventually securing donations to reach the final agreed amount.

5. Proof of Decryption and Data Removal:

• Akira provided samples of encrypted files and then the corresponding decrypted versions to demonstrate their ability to restore the data.
• After payment confirmation, Akira provided "Deletion [redacted].txt" (2.05 MB), presumably as evidence of data removal.

6. Security Report and Guarantees:

• As part of the deal, Akira provided a "security report on vulnerabilities we found." This report contained common cybersecurity recommendations, suggesting the attackers exploited weaknesses in the victim's security posture. Examples include:
• Cautioning against opening suspicious emails and links.
• Emphasizing the use of strong, frequently changed passwords and avoiding password reuse.
• Recommending the implementation of Multi-Factor Authentication (2FA).
• Advising the use of the latest software versions and regular updates.
• Suggesting the use of antivirus solutions and traffic monitoring.
• Recommending a jump host for VPN with unique credentials.
• Advising the use of backup software with cloud storage and token key support.
• Highlighting the importance of employee cybersecurity training ("the most vulnerable point is the human factor and irresponsibility of your employees, system administrators, etc.").
• Akira also reiterated their guarantees not to publish or sell the data and not to attack the victim in the future.

7. Attacker's Insight into Attack Vector:

• The security report revealed the attacker's initial access method: "Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password." This provides valuable information about the attack chain.

Quotes from the Original Source:

• Attacker: "dealing with us is the best possible way to settle this quick and cheap."
• Victim: "Why would you do this to us? We are a non-profit organization who offers free services for poor and homeless women. This is a terrible thing that has happened to us and you are hurting these women the most by this action."
• Attacker: "If you care for people and are responsible for them you should protect them."
• Attacker: "We're well aware that you're a charity. We also know that you have enough funds to cover our initial demand."
• Victim: "This would break us and we would have to shut down. We wouldn't be able to help anyone then."
• Attacker: "Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password."
• Attacker's Security Advice: "None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer... Instruct your employees as often as possible about online safety precautions; the most vulnerable point is the human factor and irresponsibility of your employees, system administrators, etc."
• Attacker: "Thank you for working with us and your careful attitude toward your security." (A seemingly sarcastic remark given the attack).

Full Chat Log

Attacker: Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now, you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

Victim: Yes, I am authorized to speak with you on behalf of our organization. Why would you do this to us? We are a non-profit organization who offers free services for poor and homeless women. This is a terrible thing that has happened to us and you are hurting these women the most by this action. We desperately ask you to reconsider what you have done and let us get our operations back to normal as quickly as possible. These people need our help and we need yours to get back to normal. We beg of you to do the right thing here.

Attacker: So, let's do the right thing here settle this quickly and the people you care for will continue getting help.

Attacker: List.txt // 812 KB

Attacker: These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.

Victim: So what is it you want from us if you don't care to help reverse what you have done?

Attacker: We're looking through your files to calculate a fair demand to you. I will let you know the sum shortly. We offer:

1. full decryption assistance;
2. evidence of data removal;
3. security report on vulnerabilities we found;
4. guarantees not to publish or sell your data;
5. guarantees not to attack you in the future.
   Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

Victim: We need everything back to normal.

Victim: We are a non-profit. We don't have much money.

Attacker: We won't ask much money. We will ask what you can afford.

Attacker: So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us calculate our demand to you. We're willing to set a $250,000 price for ALL the services we offer.

Victim: Don't let the financials confuse you. We are a non-profit, meaning all of our funds coming in is not income. It is spent on the free services we provide to more than [redacted],000 women every year. Food, housing, counseling, and many other services to help these women survive. We do all of this for free and all of the money we use for this is donated to us. If we give you that kind of money then it means there are many people that we can’t help. That means people that can’t eat or have a place to sleep. Please consider being more reasonable and think about if one of these women was someone you care about. Someone you love. You have to have some sense of humanity inside you to do the proper thing here.

Attacker: We are not really confused by your financials. If you care for people and are responsible for them you should protect them. If you take a look at the list we gave you, you would see what kind of information we obtained about the people you are in charge of. How did it happen? They were not protected enough and their documents were stolen. Imagine that docs were someone's you really care about. But as you have cyber insurance, you can prevent the leak. So do this. Let me know if you are interested in proofs or a test decryption so we can speed everything up. If you act quick, we can give you a 20% discount.

Victim: Please show these 3 files.

Victim: [redacted].xls

Victim: [redacted].pdf

Victim: [redacted].pdf

Attacker: Please wait.

Attacker: [redacted].rar // 304 KB

Attacker: Do you want to check our decryption tool?

Victim: Yes, we want to check, but need to access the files. We don't have them yet.

Attacker: When can we expect the files approximately?

Victim: [redacted].vbm.akira // 797 KB

Victim: [redacted].vbm.akira // 515 KB

Victim: [redacted].vbm.akira // 844 KB

Victim: Please show us you can unlock these.

Attacker: We will upload them decrypted soon.

Attacker: [redacted].vbm // 797 KB

Attacker: [redacted].vbm // 515 KB

Attacker: [redacted].vbm // 844 KB

Attacker: You can review the files.

Victim: We are going to have to find where we can raise the funds to pay for this. As a homeless shelter all of our money is donations and we don't have this much money so we are going to see what we can come up with. We can get back to you on Monday so that we can hopefully make a deal.

Victim: We just checked these files and there are no changes. They are still encrypted.

Attacker: We will review and get back to you.

Attacker: [redacted].vbm // 796 KB

Attacker: [redacted].vbm // 514 KB

Attacker: [redacted].vbm // 844 KB

Attacker: Please check these.

Attacker: We will wait until Monday for your offer. Have a good weekend.

Victim: As mentioned, it is very difficult for us to have much money. What we are able to offer you at this time is only $50,000. Please understand that as a homeless shelter this is 200 times more money than we started off with as an organization. We rely on this money to serve the homeless community and we still hope and pray you will take pity on us, and offer to get us back for free. If you can find the goodwill within yourselves that is.

Attacker: We can't accept this modest amount for sure. You had to start with 6 figure sums at least.

Victim: What are we supposed to do if we don't have that kind of money? We are a charity! Why can't you help us out? We're trying to give you something here. We're doing what we can.

Victim: Is there something you can do for us so we can pay you an amount that you can accept? This is our operational funds we have to use. That means degradation of our services to the people we are helping.

Victim: *degradation

Attacker: We're well aware that you're a charity. We also know that you have enough funds to cover our initial demand. Anyway, leadership has approved a $190,000 amount. The best option for you is to get back on track and continue to help people.

Victim: I thank you for working with us. This is greatly appreciated. However, I don't know how to make you understand WE DON'T actually have the funds to cover the initial amount, and to be frank even this amount. This would break us and we would have to shut down. We wouldn't be able to help anyone then. The homeless shelters we have operated for over 50 years would have to shut down. The cold weather is quickly approaching and that would mean thousands of women we wouldn’t be able to house who will face even more challenges than they already have. In that case, it wouldn’t make sense to pay you if it means maintaining our survival. I will go back and see what we can do, but we ask you to please do the same. Please visit our website and see our mission and the people who are depending on us. [redacted]. Let’s work together on a solution where we all get what we want. I’ll get back to you after I see what we can do more.

Attacker: Standing by.

Victim: Because of all the expenses from this incident and what we have to pay to recover, we don't have the operational funds on our own to cover everything plus pay you. Luckily I have found someone gracious enough to donate some money to us. The additional amount we can secure will bring us up to $75,000. Please tell us you will accept this because otherwise, we won't have any options left.

Attacker: Thank you for the update. We see that you want to resolve the incident with us, so we can come down with the price and accept $170,000. We can wait a bit for a better offer from you. Maybe there will be another donation that will allow you to finish our deal.

Victim: Can I speak with your boss or someone else higher? Because I don't think you understand. If we can't work out a deal then you're going to get nothing. I don't know how we can get more to give you.

Victim: I'm having a nervous breakdown here, worried sick about our organization. Please answer me. We really need to figure out a solution to this problem. We don't have that kind of money.

Attacker: I'll let you know soon.

Victim: Thank you.

Attacker: My team is pretty aware of the situation. It was confirmed to me that we cannot accept any sum less than 6 figures from you. We'd like to finish this quickly but there are rules.

Attacker: Well, we've discussed the case internally. Taking into account your financial situation my leadership decided to move towards you and receive $135,000 for closing the case.

Victim: I wish we had that much to give you so we can finish this process. Unfortunately, we do not have that After moving some things around on our side and making additional cuts, I can offer you $88,500 and then we can be done. That's the best I'm able to do during this difficult time for us.

Victim: I'm hoping this is close enough to 6 figures for you to consider.

Attacker: We see that we are close to resolving as never before. So we're ready to accept $100,000 within the next 24 hours. So there is an extra discount from us and you have time to gather the sum. I suppose that is the best finish for both sides at this moment. You can fund this BTC wallet when you are ready [redacted].

Victim: I will see what I can do to get there. I'll let you know. Thanks.

Victim: Just so I'm clear, all of these things you said you would give are still applicable? "1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future."

Attacker: Yes, they are.

Victim: Okay thanks. I'll be in touch.

Attacker: Standing by.

Victim: Okay, we have figured out the funding and can pay you $100,000. We will work on getting this to you today. I will let you know more on timing as it gets closer.

Attacker: OK. Thanks.

Victim: We are ready. The address [redacted] is correct?

Victim: Hello?

Attacker: Yes, the address [redacted].

Victim: Thanks. Stand by for payment.

Victim: Payment has been sent.

Victim: Please confirm you received it.

Attacker: We confirm the receipt. Please wait.

Victim: How long do you think it will take?

Attacker: decryptors.zip // 3.04 MB

Attacker: unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line; same arguments work with the esxi decryptor.

Victim: Thank you. Please provide proof of data removal and the security report on vulnerabilities you found.

Attacker: Please wait for the rest items within 24 hours.

Victim: Any update for me?

Attacker: Wait a bit.

Attacker: Deletion [redacted].txt // 2.05 MB

Attacker: Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside your network we've managed to detect some fails we highly recommend eliminating:

1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords; change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain ones.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions; the most vulnerable point is the human factor and irresponsibility of your employees, system administrators, etc. We wish you safety, calmness, and lots of benefits in the future. Thank you for working with us and your careful attitude toward your security.