Sign in Subscribe

One Mistake: A Ransomware Negotiation Story

Sean

9 min read
One Mistake: A Ransomware Negotiation Story

Summary

This case shows just how much leverage ransomware attackers can gain once they get inside. The moment systems are encrypted and sensitive data is taken, the company is forced into a position where it has no good choices just less bad ones.

The company in this case did many things right. They kept communication centralized. They asked for proof. They tested the decryptor before agreeing to anything. They negotiated rather than panicked. But in the end, they still had to pay a large amount just to regain control and stop the bleeding.

One malicious attachment (just one) was enough to let this happen. And once it did, the company faced downtime, reputational damage, financial cost, and stress across the board.

Every company, no matter the size, is a potential target. Ransomware groups don’t care who you are. They only care about what they can take and how much you’ll pay to get it back.

This was one negotiation. There are many more like it every day. Most don’t get shared. Most are handled quietly. But the threat is real, the damage is serious, and the only safe move is to make sure you’re not the next target.

The First Contact

The attackers didn’t waste time. Their opening question was direct:

“Hello. Who are you in this company? What is your position?”

The admin explained they were tasked with handling the conversation. The attackers introduced themselves:

“We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 110GB of sensitive information and data from your network.”

They demanded $400,000, threatening to leak the data publicly if no agreement was reached within 10 days.

Proof of Stolen Data

The admin asked a fair question:

“You have 110GB of our data? What data is it?”

Black Basta sent a list and allowed the company to pick five sample files for proof. Those files were delivered as promised. Later, the admin requested a way to verify the decryptor. They asked:

“How do we know that your decryptor will work for our systems?”

Black Basta agreed to decrypt test files, which they returned successfully.

The Negotiation

The admin described the situation:

“Everyone is working from different locations... Leadership has a meeting scheduled with the board.”

The first offer was $39,250. Then, they raised it to $44,990. Black Basta rejected both:

“Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.”

They followed with a threat and reminder:

“We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.”

Eventually, Black Basta set a firm price: $150,000. The company agreed. The admin responded:

“Leadership is prepared to accept your offer of $150,000 with all fees included... Please send us your bitcoin wallet ID so we can proceed with payment.”

Payment

Black Basta replied:

“Okay. We confirm all points. Our BTC wallet is [redacted]”

The admin answered:

“Ok. This may take some time, but please confirm when you receive payment. I will write you when it is sent.”

Shortly after, payment was submitted. The attacker responded:

“Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.”

Minutes later, they confirmed:

“Payment received. Your data is wiping.”

They delivered a decryptor, instructions, and a link to what they claimed was a deletion log. They also provided a basic security report explaining the breach started from a phishing email.

Final Thoughts

This negotiation gives a raw look into how ransomware cases unfold behind the scenes. The conversation started with instructions and ended in reluctant cooperation. The attackers controlled the pace, tone, and conditions from the start.

The admin stayed calm and professional while trying to confirm key details, verify claims, and give leadership time to decide. They asked the right questions and didn’t make assumptions. But the power imbalance was clear. Once access and data were taken, the attacker dictated the rules.

Even with cautious planning, the company ended up paying the full amount. There were no real alternatives left. The process was draining, risky, and costly.

The aftermath shows why planning and layered defenses are so important. Once you're negotiating with an attacker, you're already operating at a loss.

Full Transcript

Victim: Hello, we were told to come here

Attacker: Hello. Who are you in this company? What is your position?

Victim: Im an admin. I was assigned to communicate with you.

Attacker: Do you need a private chat?

Victim: This is a private chat. Only I have access to this

Attacker: We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 110GB of a sensitive information and data from your network.  
Check your page in our blog.  Right now we're keeping it secret. However, if we don't come to an agreement within 10 days, it'll be posted on our news board.
We will let everyone who wants to connect to your network and get all the necessary data from your. 
Decryption price is $400,000.  In case of successful negotiations we guarantee you will get:

1) Decryptor for all your Windows machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.

Hope you can correctly assess the risks for your company.
You can find more information about Black Basta Group in Google.

Victim: Thank you for this information. I will be in touch

Attacker: okay

Victim: you have 110GB of our data? what data is it?

Attacker: Wait please, we'll send you the list of your taken data.

Attacker: Download file: [redacted].rar

Attacker: You can choose any 5 file names from this list and we will send them to you, like a proof.

Victim: ok thank you we will take a look

Attacker: okay

Victim: does this list represent all of the data you took?

Attacker: Yes, this is full list.

Victim: Here are the files that leadership has requested: Paperless\EMAILS 2020-2022\Congratulations [redacted].msg
Vol4\CL\[redacted]Files\[redacted] - Notice of Substitution.docx
Vol4\CL\[redacted]\[redacted] Plaintiff Expert Materials\[redacted]\Floormat recall.pdf
Vol4\CL\7777\031\[redacted]\[redacted]\footballpressboxlist.pdf
Vol4\USER\[redacted]\XMAS\Christmas 2004\Holiday Name Tags Template2.doc

Attacker: Wait please.

Attacker: Download file: [redacted].rar

Attacker: These are requested files.

Victim: Ok.  We are having internet issues.  Everyone is working from different locations.  I will give these to leadership to review.  No one will be back until Monday.  I will write you then

Attacker: Understood. Wait you on Monday.

Victim: How do we know that your decryptor will work for our systems?

Attacker: You can send some encrypted files, we decrypt them and send back to you. But these files must be unimportant.

Victim: Ok, I will have leadership choose some files.

Attacker: okay

Victim: Download file: [redacted].jpg

Victim: Download file: [redacted].doc

Victim: Here are two files that leadership chose.

Attacker: Wait please.

Attacker: Download file: [redacted].jpg

Attacker: Download file: [redacted].doc

Victim: Ok, I will show these to leadership and will be back in touch with you

Attacker: We'll in touch.

Victim: My leadership has a meeting scheduled with the board on Monday afternoon.  Before that meeting, is there any cost breaks that you could provide us?  This event has had a significant impact on our company.

Attacker: 10% discount for you and we close the deal.

Victim: Ok, I will provide this to my leaders and I will be back in touch on Monday afternoon.

Attacker: Okay, we'll be in touch.

Victim: Our leadership wants this to come to an end for both of us so we can get back to normality.  They would like to offer $39,250 with all fees included.  This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again.  Please accept this offer so we can move on.

Attacker: Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.

Attacker: We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.

Victim: What is meager to you, is not to us.  Since this event we are struggling to get operational and have experienced tremendous losses.  Leadership is prepared to offer $44,990 with all fees included.  This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again.  Please consider this offer as we are trying to get our business back operational.

Attacker: We are ready to help restore all your systems and files to their original state very quickly, but the minimum amount we can accept is $150k. Less payment is not possible. Therefore, tell your manager if he wants to make a deal, then he look for this amount. If not, then further negotiations are pointless.

Victim: Leadership is prepared to accept your offer of $150,000 with all fees included.  This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again.  Please send us your bitcoin wallet ID so we can proceed with payment.

Attacker: Okay. We confirm all points. Our BTC wallet is [redacted]

Victim: Ok. This may take some time, but please confirm when you receive payment.  I will write you when it is sent.

Attacker: Okay.

Attacker: Any updates?

Victim: payment was made.  Can you confirm please

Attacker: Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.

Attacker: Payment received.

Attacker: Your data is wiping.

Victim: Thank you.  I will stand by for all the agreed upon deliverables.

Attacker: This is log of deletion ALL your taken data
Download: https://qaz.im/load/[redacted]
Delete: https://qaz.im/index.php?a=delete&q=[redacted]

Attacker: Download file: [redacted].ex

Attacker: How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.

OR

1. Drop file.
2. Click right mouse button on the file and press run as admin.


(!) IMPORTANT, READ ALL BEFORE DECRYPTION PROCESS
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
3. MAKE BACKUPS of important files what you will decrypt, then you can rerun decryptor if something happens
4. You can decrypt partially encrypted files:
4.1. Make backup
4.2. Add encrypted extension (random for every company, you can ask in chat) to file
4.3. Run decryptor to folder what contains file
4.4. Now you can test file
5. Every decryption process saves file in same location with name of decrypted file with extension .kbckp. In this file you can find individual chacha keys for better recovery experience.
6. You can ask in chat about ECC keys (used to encrypt chacha keys) for your company.
7. Make sure you have at least 10 gb of free space on each disk.
8. To choose folder on linux decrypt.linux -forcepath /path

Attacker: Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments. 
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection: 
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies  
3. Make protection from attack like a Pass-the-Hash  and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus. 
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks 
7. Conduct full penetrations tests and audit 
8. Use and update Anti-virus/anti-malware and malicious traffic detection software 
9. Configure group policies, disable the default administrators accounts, create new accounts. 
10. Backups. You must have offline backups, does not have access to the network.

Sign up for more like this.

Enter your email
Subscribe