The Ransom Note That Named Your Competitors
Most ransomware groups threaten to sell stolen data in the abstract. They gesture toward a dark web marketplace, reference unnamed interested parties, imply that someone out there will pay for what they have taken. The threat is real enough to create pressure, but vague enough to be deniable and difficult to act on.
In this negotiation, the attacker did something different. They named names. Specific competitors; companies in the same industry, operating in the same markets; were listed by country and entity type as ready buyers for the victim's stolen files. Drawings. Client contacts. Invoices. Internal data that would hand a direct commercial advantage to anyone willing to pay for it.
That is a different kind of threat. And it reframes the entire ransom calculation for a victim who is trying to decide whether to pay.
The Opening: $150,000 and a List of What Was Taken
The negotiation opens with a UUID exchange before the attacker moves to the substance of the demand: $150,000 USD for the decryption key, data deletion, and silence. To establish credibility, they immediately detail what they have:
"All your clients' information (Contacts, Drawings, Invoices...) Your data also contains Russians on your clients... All your employees' data."
The reference to Russian clients is deliberate. It is not incidental detail; it is a signal that the attacker has reviewed the data carefully enough to identify sensitive relationships that carry their own political and legal exposure. Whether the attacker intended to use that specifically as additional leverage or simply included it to demonstrate depth of access, the effect is the same: the victim now knows the attacker understands exactly what they have, and exactly why it matters.
To reinforce this, the attacker sends screenshot evidence; images of financial data pulled from the victim's systems; alongside a file listing showing the full scope of the exfiltration. The victim is left with no room to argue the breach was superficial.
The Competitor Threat: When the Buyer Has a Name and an Address
Most double-extortion negotiations follow a predictable script. Pay or we publish. Pay or we sell. The selling threat is almost always left deliberately vague; a dark web auction, unnamed interested parties, the implicit market for stolen corporate data. Vague threats are still effective, but they leave the victim with some psychological distance. The harm is hypothetical. The buyer is faceless.
This attacker closed that distance entirely. When the victim delayed, the attacker escalated with a list:
"It's better for you to make us not to unzip all your files for leak or selling. Your hacked news will be posted on our onion site. Then next week, your clients' information and drawings will be sent to below competitors."
What followed was a list of named companies; manufacturers in the US, a group entity in the UK, and multiple GmbH entities in Germany. Not categories of buyer. Actual named competitors, identified by country and corporate structure.
For the victim, this changes the threat calculus in a fundamental way. A vague selling threat asks you to imagine a worst-case scenario. A named competitor list forces you to confront a specific one. The question is no longer "could our data end up with a competitor?" It is "could our CAD drawings and client contacts end up with [specific company] in [specific country] by next week?" That is a question with a much shorter decision timeline; and a much higher emotional charge for anyone in the room who knows those competitors personally.
It also raises a question that the transcript does not answer but incident responders should ask: were those buyers real? Had the attacker already made contact with those companies, or were the names pulled from the victim's own client and competitor intelligence files; a list of rivals the victim themselves had documented? Either way, the tactic worked as pressure. The victim did not go silent. They kept negotiating.
The Proof-of-Decryption Phase: Files First, Price Later
The victim requests decryption proof early; a standard move; but the attacker's response to it is instructive. Rather than immediately providing decrypted files, they push back on the sequence:
"Send us Test Files. After some tests, we'll provide decryption key. But these files must not contain sensitive and recent information."
The caveat about file content is worth noting. The attacker is protecting their own operational security during the test phase; ensuring the victim cannot use the proof-of-decryption exchange to recover genuinely critical files without paying. The test is structured to demonstrate capability without providing value. Three sample files go across, and the attacker returns a decrypted spreadsheet screenshot as proof rather than the files themselves; another layer of control over what the victim actually recovers before payment is confirmed.
When the victim later pushes for proof that the SQL database decrypts correctly; a legitimate concern for any company whose operations depend on database integrity; the attacker refuses:
"We've already shown enough and exactly about decryption. Let's clear our agreement price first."
The attacker is drawing a hard line between the proof phase and the payment phase. Additional verification is available, but only after price is agreed. It is a subtle but effective way of keeping the negotiation moving toward commitment rather than allowing the victim to extend the proof phase indefinitely as a stalling tactic.
The Negotiation Arc: $22,500 to $100,000
What follows is the longest and most drawn-out negotiation in this set of transcripts. The victim's opening offer of $22,500 is rejected immediately and forcefully:
"$22,500 is too low a price. At that price, we cannot even provide a decryption key. What about $120,000?"
The counter at $120,000 sets the new anchor. From here, the negotiation proceeds in slow, incremental steps; the victim edging up, the attacker edging down, neither side making large concessions in a single move. The victim's offers follow a pattern of small escalations: $22,500, $42,750, $51,650, $56,500, and eventually $75,000. The attacker moves from $120,000 to $110,000 to $105,000 and finally to $100,000, which they hold as a firm floor.
Throughout this process, the attacker applies deadline pressure repeatedly; threatening to post data to their onion site, naming a specific publication time of Thursday at midnight, and warning the victim that further small offers will not be entertained. When the victim asks for more time, the attacker grants it; but with an explicit condition:
"Ok. But then, at that time, I hope you not to say your little price again."
The victim eventually agrees to $100,000. That figure represents a 33% reduction from the opening demand of $150,000; a meaningful discount, but one achieved over a significant amount of elapsed time and multiple deadline extensions. The attacker held their floor effectively. Every concession the victim won came at the cost of another round of deadline pressure and another threat of imminent publication.
What the Transcript Reveals About the Competitor Buyer Tactic
Several details in this negotiation stand out beyond the headline number.
Named competitors are sourced from the victim's own data. The attacker demonstrated detailed knowledge of the victim's industry relationships throughout the negotiation; referencing specific client types, geographic markets, and corporate structures. The competitor list almost certainly came from files already exfiltrated from the victim's systems. This means the threat is self-referential: the attacker is using the victim's own intelligence about their competitive landscape to structure the most targeted possible pressure.
The tactic exploits relationships, not just data value. Corporate data has an abstract market value that is hard to reason about under pressure. A competitor who would benefit from your client list and drawings is a concrete, imaginable harm; one that involves real people the victim likely knows. That specificity is what makes named-competitor threats more psychologically effective than generic selling threats, and why this tactic is worth flagging in IR playbooks as a distinct escalation category.
Deadline extensions are a concession with a cost. The attacker granted multiple deadline extensions throughout this negotiation; but each one came attached to an explicit warning that price expectations were not moving with the clock. Victims who use deadline extensions purely to buy time without moving toward a realistic settlement figure are likely to find those extensions become shorter and less available as the negotiation progresses.
The attacker's floor was consistent and credible. From the moment the attacker landed on $100,000, they did not move. Every subsequent victim offer below that number was rejected without counter. That consistency is itself a signal; it suggests a pre-set minimum rather than an improvised negotiating position, and victims who fail to identify where that floor is early will spend time and deadline extensions finding out the hard way.
The Question the Victim Never Asked
There is one thread in this transcript that goes unresolved; and it is the most important one. The victim never directly challenged the competitor buyer claim. They did not ask for proof of contact with those companies. They did not ask whether the attacker had already approached them. They accepted the threat at face value and continued negotiating on that basis.
That may have been the right call under pressure. Challenging the threat risks escalating the conversation in a direction that accelerates the timeline. But it also means the victim paid $100,000 without ever knowing whether the competitor list was a genuine channel to sale or a list of names lifted from their own files and deployed as theatre.
For incident responders advising clients in future negotiations, that question is worth asking early; not to call the bluff, but to gather intelligence. An attacker who has genuinely made contact with named buyers will respond differently than one who is working from exfiltrated data. The answer shapes how much weight to give the threat; and therefore how much weight it should carry in the payment decision.
Knowing who is really on the other side of that competitor list changes the number on the table.