No Time to Wait: Critical Data in a Ransomware Negotiation
This is a real conversation between a small business and the REvil ransomware group. The company was hacked. Their files were locked. They couldn’t access important systems. Some backups were still available, but recovery would take time — and they were already under pressure.
The hackers wanted money. A lot of it. And fast. The company had to figure out what to do, with no guarantee of anything in return.
What follows is the chat that took place — how they responded, what they offered, and what the hackers said back. You’ll see real quotes, real back-and-forth, and how quickly things escalated. The whole thing moved fast. Probably because the data was critical.
Here’s what happened.
It Started with a Message
"Don't panic! We are in business, not in war."
That’s what the attacker said first. Then they told the company everything had been encrypted. They asked for $300,000 to unlock it. If the company didn’t respond in 3 days, they said they’d leak the data.
"Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation..."
The company replied. They said they were just a small family business in Singapore. COVID had hit them hard.
"Our company is small local family company and not a Listed Company… We could only fork up to US$20,000."
The attacker lowered the price to $75,000.
Trying to Find a Deal
The company didn’t give up. They came back with $40,000. They also asked to pay half now, and half after they got proof the decryption worked. They wanted to test the tool on two of their servers.
They were also clearly worried. What if they paid and got nothing? They asked how they could trust the attacker.
REvil said this:
"Use google 'REvil'"
That was their way of saying, “look up our record.” No links. No proof. Just a name.
REvil refused the 50/50 payment split. They did lower the price again — this time to $50,000 — but they wouldn’t move on anything else.
The Wrong Thing to Say
The company asked for test decryption. Just a few files. REvil agreed at first.
Then the company made a mistake.
"The Employee file is critical actually. Pls decrypt for us."
That gave it away. Now REvil knew which data mattered most. They refused to decrypt that file.
"Do you really take us for fools?"
"Send another file."
The company tried to backtrack.
"The Employee file is NOT critical actually."
But it was too late. The attacker didn’t buy it.
Everything got serious after that. Less chat. More pressure. The company agreed to pay the full amount in bitcoin — 1.295 BTC — about $50,000 at the time.
Payment and Decryption
The company said they would send the money in two parts. They asked REvil to confirm once the first transfer came through. The second followed right after.
REvil said they would wait for 3 confirmations on the blockchain before giving anything back.
"waiting till 3 confirmations, after that you can download decryption program"
Once the confirmations came through, they shared the decryption tool.
"Run as administrator. Turn off antivirus. Use GUI or CMD."
No thank you. No promises. Just a tool and a message saying it should work.
When Critical Data Speeds Things Up
This whole thing moved fast. It didn’t drag out for weeks. Once the attackers saw the data was important, everything changed. The company made decisions quickly. The hackers stuck to their price. Both sides wanted it over.
The company did what they could. They asked questions. Tried to lower the price. Tried to build trust. But in the end, they paid because they didn’t have a better option.
Ransomware isn’t just about locked files. It’s about pressure. It’s about what you’re willing to do when time’s running out and your data is on the line.
Full Transcript
Attacker: Hello,
We are REvil Group.
We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $300,000. Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company.
You can find more information about REvil group in Google.
Posting on our blog and further publications in the media will lead to significant losses for your company: court and government fines, data recovery, loss of reputation, abandonment of clients, drop in limits.
But don't panic! We are in business, not in war.
We can unblock your data and keep everything secret. All we need is a ransom.
In this case, you also get: a security report, a complete tree of compromised data files, permanently deleting downloaded data, support with tips on unlocking and protecting.
Victim: Hi,
Our business has been seriously affected by the current Covid Pandemic since early last year. Our country (Singapore) is in lock down mode currently. Everybody is suffering and life is very tough here. Our company is no exception. Our company is small local family company and not a Listed Company. Our Company finance has become very tight right now. We really cannot afford your asking price. We could only fork up to US$20,000.
We have already finalised our recovery plan and with the offline back up data, we are in the process of rebuilding some data and files now. We do not have P&C data with Government, Customers or Vendors. However, we wish to save our business recovery time and cost. Hence, we sincerely come to you and hope to reach a mutual agreement and settle this amicably.
Hope to hear from you soon.
Attacker: Hello!
We took note of your communication and concluded:
1) If you could cope without our help, you would not contact us.
2) And yet, we are ready to make concessions to you, and throw the price down to $75,000.
We await your decision.
Victim: Hi
Appreciate your reply.
We wish to pay $75,000 and settle amicably. However, it is still very tough for us. We are willing to double our initial offer to $40,000.
We have only one condition (just to safeguard our side here), that is we pay 50% first and in return, you give us the decryption tool for our files in two (2) hosts :
1) Host name 'SAP-VEEAM' (file extension .[redacted]), and
2) Host name 'apps-fs' (file extension .[redacted], .[redacted], [redacted])
Once we successfully decrypt the above-mentioned files, we shall immediately settle the balance 50% without delay in return for all the balance decryption.
(Please be reassured that once we achieve agreement to pay, we shall honor our word)
For payment to you in XMR (currently trad around US$ 287 now), our local Crypto platform do not support this transfer network. Can we pay you in Bitcoin/Ethereum instead?
Hope to see your favorable reply soon.
Attacker: Let my boss think, next couple of hours.
In any case, we are not ready for a down payment of 50%. So we don't work.
You can send us some not very important files so that we can confirm the functionality of our build. To do this, skip the file and note this extension.
I'll tell you in advance if the boss does not agrees to 40.000, try to offer a little more.
Attacker: i talked with my boss so the last price is 50.000$ It is the minimal price we can offer to you.
Attacker: you can pay in btc
Victim: Hi,
Ultimately, how do we be sure that after we pay 100% in advance you would give us 100% decryption?
we may not get anything at all after we make payment.
Therefore, please reconsider our suggestion that we pay you 50% and you decrypt our files as mentioned earlier on.
We assured you that once we reach an agreement with you, we will definitely honor our payment.
Attacker: We have a long reputation, you can read reviews about us.
In addition, you ask to decrypt the server with backups.
We have already done everything possible for our cooperation in the form of a proposed discount.
You will receive a utility that will run on all extensions at once on your network.
Victim: Hi,
Can you provide the links for the review about you?
How many Bitcoin do we have to pay? Bitcoin price now is $38,650. Can you provide Bitcoin Transfer address/details?
Attacker: 1.36 btc
Victim: Can you provide the links for the review about you?
Attacker: Use google "REvil"
Victim: Hi,
Can you decrypt below 3 files to show you have the tools/keys? Thanks.
Attacker: wait
Attacker: file
Attacker: APPS-SAP Backup.vbm.[redacted]
Choose another file for test decryption
Attacker: Regional - Employee Master Data (Latest).xls
Attacker: Do you really take us for fools?
Attacker: send another test file
Victim: The Employee file is critical actually. Pls decrypt for us.
Attacker: no
Victim: The Employee file is NOT critical actually.
Attacker: send another file
Victim: try this please
Attacker: file
Victim: this is the 3rd file please
Attacker: file
Victim: Can I have last 2 more files to show my boss? Please.
Attacker: Only 3 file test
Attacker: If you need more , pay
Victim: Now the BTC is $38,820 x 1.287 = $50,000,
Can we agree with 1.287 BTC coins?
Attacker: 1.295
Victim: we pay you 1.295 BTC coins, you send us the decryption tools/keys for all files. Do we have a deal?
Attacker: yes
Victim: We need to remit money to our Cryto Platform to buy BTC, it may be late tomorrow to transfer the coins to you. Please bear with us.
can you also send me the BTC transfer details?
Attacker: You can find btc ID on main page
Victim: I only saw XMR address?
Attacker: click "Bitcoin + 10%"
Victim: in the Recipient Address, I put this correct?
[redacted]
Victim: What should I put in Recipient Full Name?
Victim: Please confirm
Attacker: [redacted]
Attacker: Yes, this wallet.
Victim: 3. Wait for 3 confirmations by blockchain
What does the above means?
Attacker: This is a confirmation of the transaction in the blockchain network. The usual procedure for transferring cryptocurrencies.
Victim: Ok
what should I put the full name for the recipient?
Attacker: nothing. Wallet Only
Victim: Ok
Victim: Hi, we finally gathered enough BTC 1.295. But it is coming from 2 sources due to time constraint.
We shall transfer BTC 0.42546345 from our local Crypto Platform first.
Once you receive it, please let us know before we transfer the balance BTC to you from another Crypto Platform
Is that okay with you?
Victim: Please let us know quickly
We want to transfer now but need you to confirm okay first.
Victim: Hi,
We managed to transfer BTC 1.295 to your below address. Pls check and confirm.
[redacted]
Victim: Please see attached jpg image for the successful transfer of BTC 1.295.
Attacker: waiting till 3 conformations,after that you can download decryption program
Victim: Where do we find these 3 confirmations?
Victim: We have done email confirmation and phone confirm for our BTC transfer just now.
is it related to the above 3 confirmations?
Attacker: wait please
Attacker: To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.
CMD commands:
UniversalDecryptor.exe -full
UniversalDecryptor.exe -path "C:\folder"
UniversalDecryptor.exe -file "C:\folder\file.txt.random_ext"
* decryptor with -full option will decrypt all with default params.
If you use it as gui application, mI recommend you choose "create backups" option. If you use decryptor without this option, you should not interrupt decryption process, otherwise some files will be irreversibly damaged.
Victim: Hello REvil Team - We are IT team helping client with the discussions with you and recovering. We would like to discuss how to proceed with this situation and reach a mutual agreement. For us the value of data is certainly very important. Can you provide us with some files your operative acquired from systems. I would suggest 5 files, from 5 different systems, you can choose. If you prefer to provide a file-tree of the files you have it would help us to work with the client to assess the appropriate value.
We also have a few logistical issues we need your help with:
1. Payment will need to in BTC, XMR is not possible on this situation
2. Please provide an extra 48 hours to the clock. This is a long weekend and time will run out on Monday, but all banks are closed on Monday and closed on weekend. So we would appreciate the extra time so we can reach an understanding.
Thank you, looking forward to working with you again.
Attacker: You can use Bitcoin instead of Monero, but it will be more expensive for you in case of our merchant additional fee,
so if u want to pay in BTC u need to add +10%. Btc enabled
Attacker: It will take us a little time to collect the necessary data.
Timer updated
Victim: Thank you. Standing by.
Attacker: https://privatlab.com/s/v/[redacted]
password for download: [redacted]
password for archive: [redacted]
Attacker: So that you understand what data we have
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/[redacted]?s=[redacted]
Attacker: (Use TOR browser)
Victim: thank you. We are checking
Victim: Hello - Our client has reviewed the data you provided. Based on available funds our client is in a position to offer $192,580 to have the assurance that the data is deleted. The client is already in the process of notifying clients of the situation. I would like to recommend that the offer is accepted soonest. Much graciousness.
Attacker: Hi, all my boss has to offer is a 10% discount.
We know the scale of this company's problems.
Such low amounts are not even considered
Attacker: To solve your problem, you need to increase your offer by at least 10-fold.
Victim: Good morning - I understand you offer a 10% discount. Can you please discuss with your boss, the situation is not urgent, nor does the client require decryptors. We work with you in the past on many cases, this is not a matter where such high amount will work to benefit. $192,580 is a lot of money in this case but I spoke to the client and they were able after a lot of accounting investigation to increase the amount to $237,290. Since we are coming to weekend, in many places this is a long weekend and the response will be delay. I recommend if you can speak to boss to try and close as soon as possible.
Attacker: My boss is not interested in this amount.
You have a few days before publishing in the blog and in the media
Victim: your boss is not interested in $237,290. We understand, it is your decision.
Attacker: Friend, you shouldn't start this game, we know very well how much damage has been done to your client.
If it was insignificant, you would not write here.
If you have nothing more to offer, we have nothing to talk about
Victim: No games. Like I said, client is back to operations and no decryptors are needed. I am being upfront in terms of numbers. They cannot pay 10x of initial offer.
Victim: Not interested in wasting your time or mine.
Attacker: As we said earlier. Your proposal is not interesting
Victim: It took me over 2 days to convince the client to come back to the discussion. What can you do to get to a more reasonable number? Decryptors are not needed.
Attacker: It doesn't matter for us whether you need decoders or not, for us this is not an argument, one way or another you will get them
Victim: ok
Attacker: We have voiced our proposal to you earlier if you cannot approach it then there is no point in continuing the dialogue
Victim: sounds like you do not really want to discuss, I will update the client. Client will not pay what you are asking. 10% is nothing.
Attacker: We are ready to consider the issue of the discount again, but what you are offering sounds silly.
Victim: The client is an appliance retailer. they will use the money in a different way to protect employees so unless I get a more serious discount. otherwise you are right, this is not going anywhere.
Attacker: I have nothing more to add data will be sold and you must understand this
Victim: here is what you need to understand. No one will buy this info. You publish anything and we are done with this dance. The number you provided is not happening go back and get a better number that the client will consider or we are going nowhere. I am trying to tell you that they are willing to pay something, but your demand of 2.7mil after btc conversion is not worth the data you have.
Attacker: If this data is useless, what are you doing here? If you have nothing to pay so much for, then why are you discussing the price?
Either make an offer that will interest my boss, or the publication will be in 19 hours and the "dancing" will end.
Victim: I gave you an offer on the table which you choose to ignore and state its not interesting. Value is that you do not play silly games with your publishing, trying to protect employees. Anything else is meaningless. I can try to push to 350k.
Attacker: Not interested
Victim: ok
Victim: if your boss or you change your mind my email is: [redacted]@mail.com
Attacker: You shouldn't use the old tricks.
Leave your email with you
Victim: Had a final discussion with management, final price is 400k. Your answer?
Attacker: I must say right away that the amount is less than 1kk my boss is not interested
Attacker: If you agree, we close the publication and continue cooperation if not. I think you yourself know
Victim: Like I said, 400k is last amount. Publication is now 0$. I tried to explain to you how things are, but you decide you know better. Too bad.
Attacker: Okay my boss agree price update you can pay.
Victim: ok hold on I need to bring client back.
Victim: Ok we confirm the bitcoin amount to settle the situation. Thanks for updating price on site. We are working with a broker to get the bitcoins and do transfer within 24 hours.
Attacker: ok
Victim: Please confirm you will provide after payment:
1. Universal decryptor, and technical support in case of problems,
2. Detailed proof of the downloaded data - complete file tree of all of compromised data files,
3. Confirmation of 100% proof of permanent deletion of all compromised data from all your data storage locations and a shred/wiping log,
4. Confirmation that you will delete and will never publish any of the data or this chat or release the company name anywhere, including on your publishing Happy Blog/leaks site, or on the dark web or the Internet,
5. A security report on how company was breached, so we can prevent future problems, and
6. Promise to never again breach or attack company’s networks or websites.
Please confirm 1 to 6. Thank you
Attacker: Um no.
You said that your client does not need a universal decoder, so we will not provide one.
We confirm everything else
Attacker: The price is formed solely on the fact that you need to completely delete the data and everything from points 2-6.
For a decryptor, the payment will be much higher.
Victim: OK, understood. Thanks for confirming 2-6.
Victim: OK, understood. Thanks for confirming 2-6.
Attacker: Hello , are you ready to pay ?
Victim: yes, standby
Victim: OK, the transfer is confirmed. What is your timing on delivering the items above?
Attacker: wait for answer
Victim: Hello - what's your ETA? Thanks
Victim: Hi we are waiting for your reply?
Attacker: Hello we deleted all information about company
Victim: Thanks for confirming. Please provide the agreed items: 2. Complete file tree of all of compromised data files, 3. Shred/wiping file data deletion log, 4. Security report. Thank you
Victim: ??
Victim: Hi we are waiting for your reply?
Attacker: 1. Administrators must work in browsers in in-private mode
2. Administrators are prohibited from saving passwords in browsers
3. Administrators are prohibited from saving files with password lists on their computers or shared resources, as well as sending them by e-mail
4. All users are forbidden to open suspicious mail, punish with money. Allocate for this one computer without connection to the corporate network
5. Administrators work in virtual machines. Virtual machines must be in cryptocontainers
6. Configure firewalls so that administrator's computers do not have direct access to critical servers, but virtual machines have it (firewall rules and network ranges)
7. Limit the list of domain administrators. Split domain administrator password between security department and administration department (password is very long)
8. Delegate small roles to administrators for daily work (resetting passwords, creating users)
9. Use strong antivirus, Cylaence or Сarbon Black or Cortex (we do not advertise antivirus, think byr yourself)
10. Limit access to the Internet on servers and admin's computers. Create a terminal server in the DMZ and use the terminal browser applications
11. All suspicious letters with links should be sent to the IT department for verification on a stand alone virtual machine.
12. Configure mail filters to work with white lists. Anything that is not included in the whitelist must be moderated.
13. Prevent users from launching scripting programming languages (vbs, js and others) and unknown file extensions. If you doubt about openning link, transfer it to the IT department for verification on a stand alone virtual machine.
14. Open documents with macros only from trusted users. If you doubt about openning document, transfer it to the IT department for verification on a stand alone virtual machine.
15. If the user has launched a suspicious file, he should immediately contact the IT department.
16. Disable remote launch for powershell
17. Set 2FA Authorisation for network infrustructure. (Backups)
Attacker: The data was deleted automatically, we, for our part, did not have time to save the deletion log
Victim: That was not the deal. You confirmed you would provide the complete file trees and proof of deletion / shred logs. We are working on 3 other recovery cases with your group and now we have to tell all our clients and their legal, advisors that you are not following up on promises.
Attacker: ok
Attacker: Our team noticed that you have already started spreading dirty rumors to other companies.
So, look, if this continues, we are starting data recovery for all the cases that we have worked with previously.
Publishing all remote blogs and spreading information in the media that your companies (victims) paid us a ransom.
Don't consider yourself an almighty friend.
A new hacker worked with your case, who foolishly deleted the data after payment. This will no longer be the case, and rest assured that we do not store the data of the victims you paid for. Let's forget about this case and continue working. Don't try to fight.
Victim: ok