Even If You "Win", You Still Lose: A Real Ransomware Case

Ransomware incidents often feel distant until they’re real — until your files are locked, your data is stolen, and you're forced to negotiate just to contain the damage. Many are now handled like business transactions — with calm messages, structured offers, and even “customer support” tones. This post looks at a real exchange between a company and the Akira ransomware group. The full transcript shows how the conversation started, how demands were made, and how payment was finally negotiated. It’s not just about encrypted files — it’s about strategy, pressure, and damage control. By looking at the actual words used on both sides, we can better understand how these situations unfold and what victims are really up against when facing a coordinated cybercriminal group.

The First Contact

The company reached out to the attackers after receiving instructions. Early in the exchange, the victim confirmed they were authorized to speak for the company. They clearly stated they were the negotiator and would handle talks on behalf of leadership.

“Yes, I am the negotiator with our firm and will be here on behalf of our bosses.”

Why They Said That

Telling the attackers that a negotiator was in charge wasn’t just for show—it set the tone. It told Akira that:

• Someone informed was managing the situation
• Emotions wouldn’t get in the way
• The company was taking the matter seriously

This probably helped keep the interaction more businesslike and less chaotic. It also discouraged the attackers from wasting time with scare tactics or unrealistic demands.

“Do you have a permission to conduct a negotiation on behalf of your organization?”
“Yes, I am the negotiator...”

The Ransom Demand: $3.5 Million

Akira responded calmly and sent over a .rar file showing what they had stolen. They invited the victim to pick a few files, which they would return as proof.

“These files were taken from your network prior to encryption. You can pick 2-3 random files...”

They also outlined what the victim would get if they paid for the full “service”:

1. Decryption support
2. Proof of data deletion
3. A security report
4. A promise not to publish or sell the data
5. A promise not to attack again

“Let me know whether you're interested in a whole deal or in parts. This will affect the final price.”

After reviewing the victim’s financials, Akira set the price at $3.5 million.

“We're willing to set a $3,500,000 price for ALL the services we offer...”

Testing and Confirmation

The victim confirmed interest and asked for three files back as proof. Akira sent them.

“Can we get these 3 files back please…”
“[redacted].docx // 20.8 KB… [redacted].pdf // 190 KB”

Akira also confirmed they stole 560GB of data.

“We took everything you see in the list. 560GB in total.”

To prove they could decrypt files, the victim sent over one encrypted file. Akira decrypted it and returned it.

“Can you please decrypt this.”
“Here is the file.”

Attempt to Negotiate

The victim said they might not need decryption help and asked how much it would cost just to keep the data private.

“At this point we may not need a key at all for our files back. What would the amount be if we do not want our data published?”

Akira responded with a lower price: $1.35 million for data privacy, deletion, and guarantees.

“Options 2–5 will be $1,350,000.”

The victim came back with a $135,000 offer. Akira responded harshly.

“Just ridiculous! You can keep your 10%. Your data will be posted this week.”

The company raised its offer to $250,000, saying more would require special approvals.

“We are willing to come to an agreement for $250,000.00 USD.”

Akira finally gave a deadline and a final price: $500,000 if paid by Friday.

“We agree to accept $500,000 if paid by Friday. Any other amounts will be rejected…”

Deal Reached, Payment Sent

The company accepted the deal.

“Hello, we have talked to the boses, they will accept your offer.”

Akira provided a BTC wallet. The company worked on transferring the funds and later confirmed payment.

“The payment should have arrivee. Please verify...”
“We have received the payment, thank you.”

What Was Delivered

Akira sent over the deletion logs.

“Deletion log file.rar // 8.24 MB”
“Here is the file. Please review.”

The company asked how the attackers got in. Akira replied:

“Initial access to your network was purchased on the dark web. Then kerberoasting was carried out… and we got domain admin password.”

Final Questions

The victim asked if Akira could share what credentials were used. The answer was no.

“Unfortunately, we do not have this information since your case was closed.”

Final Thoughts

This negotiation shows how ransomware has evolved into a structured business operation. Groups like Akira don’t act impulsively. They plan, gather data, and enter negotiations with clear pricing, offers, and a tone of professionalism that almost mimics customer support.

They reviewed the victim's financials, made calculated demands, and even adjusted their pricing based on responses. This wasn’t a chaotic extortion attempt—it was a staged process aimed at extracting the maximum amount with minimal resistance.

And that’s part of what makes it dangerous. These operations are effective because they appear "reasonable." They give victims the illusion of control. But in reality, even when the attackers deliver what they promise, the victim is left exposed. The company in this case lost half a million dollars, dealt with disruption to its operations, and still had to question whether all their data was truly deleted.

It also highlighted the importance of having someone experienced handle the negotiations. The company’s negotiator kept things focused, didn’t overreact, and avoided triggering escalation. That helped. But expertise only goes so far when you're already on the back foot.

The takeaway is simple: once you’re talking to a ransomware group, you're already in a bad place. Prevention is the only real defense.

Because even if you “win,” you still lose.

Full Transcript

FULL TRANSCRIPT:

Victim: Hello, we are with [redacted], and am writing to understand how we can get our data back please.

Victim: Hello we are with [redacted], we are writing you as you asked.  How do we go about geting our data back please.

Attacker: Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.

Do you have a permission to conduct a negotiation on behalf of your organization?

Victim: Hi, ok we are waiting to hear back from you.  Understanding the data taken is important to us.  Yes, I am the negotiator with our firm and will be here on behalf of our bosses.  Thank you.

Attacker: Great. Please wait for the list of data we took. We need a bit time to sort this out.

Attacker: list.rar // 4.76 MB

Attacker: These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.

We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.

Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

Victim: Ok, thank you for this.  We will go through the list and get you the names of a few files.

Victim: We are intertested in the whole deal please.  How much of a price are you wanting?

Attacker: I will let you know shortly. We're analyzing your financial papers to come up with a fair amount.

Attacker: So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us to calculate our demand to you. We're willing to set a $3,500,000 price for ALL the services we offer:

1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.

Let me know whether you're interested in a whole deal or in parts. This will affect the final price. Atm, we highly recommend that you refer to your cyber insurance to cover our amount quickly minimizing all upcoming risks.

Victim: Hello, thank you for this.  I am sending all of the above to the bosses.

Victim: Can we get these 3 files back please.

Victim: 2023-01-30 12:21        188495        188495  Shared Data\[redacted].pdf 2023-01-30 12:21        191586        191586  Shared Data\[redacted].pdf 2022-12-12 18:41         20922         20922  Acct HR Contracts\[redacted].docx

Attacker: Hello. We will provide the files shortly.

Attacker: [redacted].docx // 20.8 KB

Attacker: [redacted].pdf // 187 KB

Attacker: [redacted].pdf // 190 KB

Attacker: Here are the files. You can share some files for a test decryption.

Victim: Thank you for all of this.  We are reviewing the listings.  Is this all of the data you took?  HOw much total?  We are also working on getting some files for test decryption and should have them Monday.

Attacker: We took everything you see in the list. 560GB in total. We are waiting for the files on Monday.

Victim: Ok, I will send this to the bosses, thank you.

Attacker: Standing by. The faster you act, the more loyal my bosses are.

Victim: WE are locating the files, hard to find smaller ones.  I should have them to you tomorrow.

Attacker: You need to act a bit promptly. We are waiting for the files.

Victim: [redacted].iso.akira // 7.63 MB

Victim: Can you please decrypt this.  We can try to find more smaller ones if needed.

Attacker: please wait

Attacker: [redacted].iso // 7.63 MB

Attacker: Here is the file. Let's move to payment details. Do you need all five options we offer?

Victim: At this point we may not need a key at all for our files back.  What would the amount be if we do not want our data published?

Attacker: Options 2-5 will be $1,350,000.

Victim: I will relay this to the bosses.  Be back in touch.

Attacker: Speed things up on your part please. We can't drag this out anymore.

Victim: We will be seeing what type of funds we can come up with over the next few days, it is a weekend as well so our bank is closed.  This is a large amount of money, can you do this for less if we can get the funds over quickly come early next week?  Also, as we keep talking, please do not leak our name or data, we are wanting to resolve this too.  Thanks.

Attacker: My management often gives discount to clients who work promptly. If you offer on Monday will be good enough, we will move towards you, I think.

Victim: I will let the bosses know, be in touch Monday

Attacker: Waiting.

Attacker: Hello. What have you decided?

Victim: We are huddling up today to see what we can come up with quickly.  Be back in touch after our meetings.

Attacker: Hurry up please.

Attacker: Ok, it seems we will have to post your data.

Victim: Hello, sorry for the delay we are trying our best and trying to continue operations.  After reviewing the data and where we are at, we can get you quickly, 24 hours, $135,000 USD.  Will you accept so we can close this out?  Thanks.

Attacker: Just ridiculous! You can keep your 10%. Your data will be posted this week.

Victim: we are offering real money and talking in good faith, if our data/comapny is posted, we cannot.  I have let the bosses know your last message, they are huddling back up, we will be back in touch.  Please standby

Attacker: We're standing by for a real money, a real fair offer. Now you're talking nothing, no value for us AT ALL.

Victim: For where we are at, what data is in play here, we are willing to come to an agreement for $250,000.00 USD.  More than this will require lots of approval.  Please let's come to an agreement.  Thank you.

Attacker: I'll pass this to my team.

Victim: Ok please let us know.

Attacker: Well, the leadership is extremely upset by the progress of this negotiations. I'm authorized to negotiate until Friday. So we agree to accept $500,000 if paid by Friday. Any other amounts will be rejected and your data will be published early next week. You have a little time to come up with a decision, because from our side it has already been made and is not subject to revision. Waiting for your reply.

Victim: Hello, we have talked to the boses, they will accept your offer.  WE have to work on the payment and are hoping it can come by Friday, keep in mind this is new to us and getting the BTC. Where are we to send the money?

Attacker: I will provide you with a BTC wallet ID in a few minutes.

Attacker: Here is is please: [redacted]


Please keep in mind that Friday is your deadline. Speed things up on your part and we will get this over.

Victim: We are in the works of this.  We reach deal with you and in good faith am working on payment.  Thank you.

Attacker: Standing by, thank you.

Victim: Hello, I will let you know the status tomorrow morning, things are in the works.

Attacker: Hello. Thank you.

Victim: The payment should have arrivee.  Please verify and let us  know when we get our deliverables.  Thank you

Attacker: We have received the payment, thank you. Please wait for all the promised materials within 24 hours.

Victim: Hello, when can we expect our end of the agreement please?  Thank you.

Attacker: We will provide in an hour.

Victim: Ok we are waiting

Attacker: Deletion log file.rar // 8.24 MB

Attacker: Here is the file. Please review.

Victim: Ok, thank you for this.  How about the security report of how you got in?

Attacker: Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just brooted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.

Victim: Ok, thank you. Do you know the creds you used? Who is the name, what type of system?

Attacker: I'll try to find out that from my tech team.

Victim: Any word back on which credentials were used from dark web?

Attacker: Unfortunately, we do not have this information since your case was closed.