The Art of Negotiation: Inside a Dragonforce Ransomware Attack

Ransomware attacks are a big problem for organizations everywhere. Here’s a look at a negotiation between a victim and a ransomware group known as Dragonforce. This situation really shows how tricky these ransomware talks can be.

Audio Overview

0:00

/787.848

1×

Important Facts:

• Ransomware Group: Dragonforce
• Data Exfiltration: Yes, the attackers confirmed that they had stolen files in addition to encrypting files on the victim's network.
• Initial Ransom Demand: $2,000,000, reduced to $950,000 after discussing financial details.
• Discount Offered: $950,000, which the attackers claimed could be hidden in tax reports.
• Data Leak Threat: The attackers threatened to publish the victim's data if payment was not made, and indicated that they would announce the publication of data on their blog if negotiations continued to drag on.
• Promises in Exchange for Payment: If paid, the attackers promised not to publish the files (and to delete them) and to provide a decryption program.
• Ransom: N/A

Timeline of Events:

• Initial Contact: The victim discovers their files are encrypted with the ".dragonforce_encrypted" extension, and a readme.txt file directs them to a negotiation site.
• Proof of Possession: Dragonforce sends a list of files they claim to have stolen from the victim's network and provides a sample decrypted file.
• Demand and Threat: Dragonforce demands money in exchange for restoring the encrypted data and deleting the stolen data, threatening to publish the stolen data on their blog if payment is not made.
• Victim Requests Proof of Decryption Capability: The victim uploads a small, scrambled file for Dragonforce to decrypt as proof of their ability to restore the data.
• Initial Price Quoted: Dragonforce initially demands $2,000,000 but reduces the amount to $950,000 after reviewing the victim's tax records.
• Victim Claims Inability to Pay: The victim explains that they are a public school with a limited budget and cannot afford the demanded ransom.
• Continued Negotiation: The victim asks for the lowest amount Dragonforce would accept.
• First Counter Offer: The victim offers $80,000.
• Second Counter Offer: Dragonforce counters with 2 Bitcoin (approximately $127,000).
• Negotiation Status: The negotiation remains open, with the victim expected to confirm a payment date if Dragonforce management approves the lower amount.

Original chat logs

Victim:
Hello? There was a readme.txt file with instructions to come to this site. Can you please explain what is going on? The files have .dragonforce_encrypted on the end of them and are not opening.

Attacker:
Hi, wait.

Attacker:
Attachment sent: tree_mastery.zip (3.38 MB)

Attacker:
Besides the fact that the files on your network are encrypted, you have also lost some of them. They are with us. Here is a list of them.

Victim:
What is this? A list of the files? What do you mean by 'lost'? Were they deleted?

Attacker:
We have these files. As well as a program to restore information on your computers.

Victim:
Okay. So in addition to scrambling the files, you also stole files? Are the files from this list (the files you stole) still on my computers?

Attacker:
Yes, that's right.

Victim:
All the filenames are scrambled so I don't know what files are what. For proof you can unscramble them, you say you need a certain file type, but I have no idea what files are what on my side.

Victim:
What do you want from me??

Attacker:
The architecture of the folders with your files is not broken. You can select a small file from a folder whose contents you know, and we will do a test decryption. Examples of such files are described in the rules, they cannot be critical data.

Victim:
I will try to guess and find the right files to decode. Without the filenames, I simply won't know for sure. Can you explain why you attacked me and what you want?

Attacker:
You've probably already used Google and know who we are and what we want. We will restore the data from you and delete the data from us after you pay. Otherwise, the data we have will be published. It is often not immediately believed that without payment we will actually publish the data. So check out our blog and make sure we do it.

Victim:
I think I understand all of that. But what do you want from me?

Attacker:
Money

Victim:
Here are 3 files from the list you sent me.

1. [Redacted]20190304.xlsx
2. [Redacted].msg
3. [Redacted]23-24.pptx

Attacker:
Attachment sent: [Redacted]20190304.xlsx

Attacker:
Attachment sent: [Redacted].xlsx (42 KB)

Attacker:
Attachment sent: [Redacted].msg (87 KB)

Attacker:
Attachment sent: [Redacted]23-24.pptx (3.96 MB)

Victim:
Does the list of files you sent show all the files you took?

Attacker:
Yes

Victim:
I have 3 small scrambled files from a Windows computer. I have no idea what files they are, but are from a folder that shouldn't have anything important. How do I give these to you to prove to me that you can fix them?

Attacker:
You should have uploaded the decryption verification file in the previous step in this dialog. You had instructions on how to do it.

Victim:
How do I get back to that step?

Attacker:
We have now moved you to this step again. Try refreshing the page.

Victim:
Okay. I put 1 of the files through.

Attacker:
You have made sure that we have your files and we have a file recovery tool on your network.

Attacker:
Have you already assessed the situation and are ready to discuss payment, or would you like more time? As per our rules, I will need to make an announcement regarding the publication of your data on our blog tomorrow if negotiations continue to drag on.

Victim:
What negotiations? I asked what you want and all you say is money. I'm not sure what I'm missing or should do at this point. I am waiting for you to tell me what you want.

Attacker:
Attachment sent: 2023 Form 990 for Mastery Schools.pdf (583 KB)

Attacker:
Do you know this document?

Attacker:
Usually, for a company of your size, the amount is $2,000,000. But since you are filing tax reports on Form 990, we are ready to reduce it to $950,000. This way you can hide it in the reports and keep the whole incident a secret.

Victim:
I know you have my files. You already proved this. What do you want?

Attacker:
$950,000

Victim:
We are talking through everything and trying to process next steps. Can you confirm for us what we would get if we were to pay you?

Attacker:
Read the F.A.Q., there are answers. More specifically, we will not publish your files (we will delete them) and you will also receive a decryption program.

Victim:
We are meeting next week with finance to see how much we can pay. I'll be back after the weekend. Thanks

Attacker:
Okay, I get you. I will turn off the timer until Friday next week, to facilitate negotiations. Can you name a day when you will have an answer?

Victim:
We are meeting about this now and we simply don't understand why you are asking for so much. Your price is just so high that we honestly don't see anything we can do on our end. We know you have all of our files and know exactly how much money we have, but why ask for more money than you know we have? Paying you seems impossible at such a high amount.

Attacker:
Earlier, I sent you the file with your tax records. These are the official documents that you submitted to the tax authorities. They show the amounts of your income and expenses. Is the information you submitted to the tax service unreliable?

Victim:
We are a public school. Our "income" isn't normal income like a company. We don't generate revenue and don't have income. We operate on a strict and tight budget.

Attacker:
We have reviewed your documentation, not just the file you sent us above. The amount you are being offered is significantly lower than what a commercial organization would receive.

Victim:
For that, we are appreciative. I don't mean to be disrespectful or unappreciative, but we just don't have the budget for a massive expense like this. You have all of our documents and can see this. Our athletic department doesn't even have the funds to travel to away sporting events so they are trying to raise funds with bake sales and car washes.

Victim:
Listen, I don't want to waste your time. Can you let me know the lowest amount you would be willing to accept so we can see if a payment is even possible?

Attacker:
I've given you the amount. Now I expect the amount from you. We will discuss this and eventually come to some figure. It usually happens like this. And if we are not talking about deliberately small amounts, then negotiations can go very quickly, to our mutual satisfaction.

Victim:
Okay. We will review the budget and see how much funding we can allocate to this, but please be aware that it won't be much. We also would like to arrive at a mutual agreement. I'll be back

Attacker:
Ok

Victim:
We think we can pay something around $80,000

Attacker:
It seems to me that you misspelled the amount there. Forgot one digit in the number of $800,000

Victim:
No, not a typo. We can't offer what we don't have. Anything you can do to make this work?

Attacker:
There is one option. You raise the amount to 2 BTC exactly. Now it's about $127,000. And you name the date by which you will pay if we agree today. And I will try to explain to the management that despite the grants and sponsors, you don't have any more money and we can make such a deal. Perhaps the management will agree.

Victim:
We can't commit to anything before we take a closer look at our budget. This is a really large amount for us so we can't act on it instantly. Can we get back to you by the end of the week?

Attacker:
The longer the negotiations take, the more difficult it will be for me to convince the management of this amount. But as I promised you, the timer is stopped until the end of the week.

Victim:
Thanks

Victim:
Good morning. We've been meeting and working on this for a few days now and the most we are able to afford to pay is still $80,000. We are a public school and simply don't have the budget for something like this. That said, we are trying to get an appointment to meet with the State Education Board to see about obtaining an emergency grant. Due to the Jewish holiday, we won't be able to get an appointment until after the weekend. I know you've been very patient with us so far, so all I ask right now is that you continue to remain patient so we can meet after the weekend to try to get the funds to pay you. Is this okay?

Attacker:
On Monday, will you tell me the result and the date when you will make the payment?

Victim:
On Monday, I hope to know when we'll be able to meet with the State BOE. I'll let you know when we'll be able to meet with them. I know for any emergency funding requests, there's a vote that needs to take place and it could take a few days to be approved after the initial meeting.

Victim:
My guess is we'll meet on Tuesday or Wednesday and hopefully by Friday we should get approved, or at least have a good idea of when we'll be approved.

Attacker:
Ok. I will be waiting for information from you.

Victim:
Thank you. I know the timing isn't ideal for either of us, but I appreciate your patience.

Victim:
Good morning, I have good news. We have an appointment to meet with the State Board of Education on Wednesday. They are aware of the situation and that we will request emergency funding. After the meeting on Wednesday, I will be back to let you know how it went.

Attacker:
Ok, we will be waiting for information from you.

Victim:
Good news! We got an appointment to meet with the State BOE to explain the situation and to request emergency funding. We will meet with them on Friday afternoon. They said that they'll have to vote on the measure of the emergency funding request during their next closed-door session, which will happen on Thursday, October 17th in the morning. Once the voting is done, they will let us know right away and then I'll be back here to let you know.

Victim:
I know that's not until next week, but we'll just have to be patient because they are the only ones who can help. In the meantime, can you please explain in detail how the payment process works?

Attacker:
You will need to pay BTC to the wallet address given to you. To exchange USD for BTC, you need to use any intermediary that suits you. We will only accept BTC.

Victim:
Okay. We will start looking into that now. I'll be back after the vote next Thursday, the 17th. Once you have a bitcoin address for us to use, please provide it.

Attacker:
I can provide it right now. It has been added to the section for payment on your part. And the amount indicated is 2 BTC. Right now it's $123,660.

This in-depth talk really highlights how complicated it can get when dealing with ransomware gangs. It also shows just how important it is to have solid cybersecurity in place.