This Is Ransomware: 19 Hours to Save the Data
In today’s cyber landscape, the threat of ransomware is a chilling reality for organizations across the globe. Behind the headlines and statistics are real people navigating high-stakes, high-pressure conversations with faceless attackers. This post takes you inside one such negotiation — an authentic, anonymized exchange between a corporate IT recovery team and the ransomware group REvil.
What follows isn’t fiction or dramatization. It’s a careful retelling of a real negotiation, combining raw transcripts and standout quotes to provide a rare, honest look at what happens behind closed virtual doors when data, money, and reputations are on the line.
Audio Overview
0:00
/362.664
The Opening Move
The exchange began with a declaration:
“We are REvil Group… The price to unlock is $2,500,000.”
The attackers emphasized their leverage — complete access to the company’s network and a threat of public disclosure if no contact was made within seven days.
The IT team responded promptly, attempting to lower tensions and negotiate:
“We are the IT team helping our client… Please provide a file-tree or sample files.”
Alongside their request for data proof, they wanted extra time due to a holiday weekend and proposed payment in Bitcoin, given Monero was not feasible.
Price Tensions and Strategic Bargaining
REvil acknowledged the request and provided data samples, but rejected the initial offer of ~$192K, with sharp language and minimal patience:
“Such low amounts are not even considered.”
They pushed for an increase, and tensions quickly escalated.
As the IT team offered a revised amount of $237K and eventually $350K, the attacker’s tone hardened.
Their tone grew increasingly final and threatening as the negotiation reached a dead end. The attacker stated:
“I have nothing more to add. Data will be sold and you must understand this.”
The IT team, refusing to be intimidated, fired back:
“Here is what you need to understand. No one will buy this info. You publish anything and we are done with this dance.”
REvil escalated the pressure, responding with sharp logic and possible outcomes:
“If this data is useless, what are you doing here? If you have nothing to pay so much for, then why are you discussing the price?”
“Either make an offer that will interest my boss, or the publication will be in 19 hours and the ‘dancing’ will end.”
This exchange captured the high-stakes power play often seen in ransomware negotiations — a game of psychological warfare where both sides probe for weakness, but only one controls the clock.
Eventually, the IT team delivered their final pitch:
“Final price is 400k. Your answer?”
REvil relented:
“Okay my boss agree price update you can pay.”
Agreement – On Paper
After reaching a price, the IT team moved to lock in the deal terms:
“Please confirm you will provide after payment:Universal decryptor and technical supportDetailed proof of the downloaded data – complete file treeDeletion confirmation and shredding logGuarantee not to publish any dataSecurity report on breachNo future attacks”
REvil responded curtly:
“You said that your client does not need a universal decoder, so we will not provide one. We confirm everything else.”
The IT team accepted the revised scope:
“OK, understood. Thanks for confirming 2–6.”
Post-Payment Fallout
The payment was made and confirmed. But what followed was a breakdown in deliverables.
When the IT team followed up on the promised items, they received this:
“The data was deleted automatically, we, for our part, did not have time to save the deletion log.”
The team fired back:
“That was not the deal. You confirmed you would provide the complete file trees and proof of deletion / shred logs.”
REvil then shifted tone — from deflection to blame:
“A new hacker worked with your case, who foolishly deleted the data after payment. This will no longer be the case.”
They added a direct threat:
“Our team noticed that you have already started spreading dirty rumors to other companies.
If this continues, we are starting data recovery for all the cases that we have worked with previously.
Publishing all remote blogs and spreading information in the media that your companies (victims) paid us a ransom.
Don’t consider yourself an almighty friend.”
Despite these threats, the IT team did not escalate the conflict. The case concluded without the full delivery of promised materials — a disappointing but unsurprising end to an untrustworthy arrangement.
Conclusion: Weak Trust
This case highlights how fragile — and ultimately one-sided — ransomware negotiations can be. While the IT team maintained professionalism and pressed for accountability, the attackers pivoted, deflected, and made it clear that their promises were always conditional.
In the end, this case reminds us that paying a ransom does not guarantee closure. In fact, it may be just another stage in an ongoing threat cycle — one that demands strong incident response plans, legal support, and above all, hardened defenses.
Full Transcript
Attacker: We are REvil Group.
We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $2,500,000. Now we're keeping it a secret, but if you do not reply us within 7 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication. In case of successful negotiations we guarantee that you will get decryptors for all your machines, non recoverable removal of downloaded data and security report on how you were hacked to fix your vulnerabilities. We hope that you can correctly assess the risks for your company.
Victim: Hello REvil Team - We are IT team helping client with the discussions with you and recovering. We would like to discuss how to proceed with this situation and reach a mutual agreement. For us the value of data is certainly very important. Can you provide us with some files your operative acquired from systems. I would suggest 5 files, from 5 different systems, you can choose. If you prefer to provide a file-tree of the files you have it would help us to work with the client to assess the appropriate value.
We also have a few logistical issues we need your help with:
1. Payment will need to in BTC, XMR is not possible on this situation
2. Please provide an extra 48 hours to the clock. This is a long weekend and time will run out on Monday, but all banks are closed on Monday and closed on weekend. So we would appreciate the extra time so we can reach an understanding.
Thank you, looking forward to working with you again.
Attacker: You can use Bitcoin instead of Monero, but it will be more expensive for you in case of our merchant additional fee,
so if u want to pay in BTC u need to add +10%. Btc enabled
Attacker: It will take us a little time to collect the necessary data.
Timer updated
Victim: Thank you. Standing by.
Attacker: https://privatlab.com/s/v/[redacted]
password for download: [redacted]
password for archive: [redacted]
Attacker: So that you understand what data we have
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/[redacted]?s=[redacted]
Attacker: (Use TOR browser)
Victim: thank you. We are checking
Victim: Hello - Our client has reviewed the data you provided. Based on available funds our client is in a position to offer $192,580 to have the assurance that the data is deleted. The client is already in the process of notifying clients of the situation. I would like to recommend that the offer is accepted soonest. Much graciousness.
Attacker: Hi, all my boss has to offer is a 10% discount.
We know the scale of this company's problems.
Such low amounts are not even considered
Attacker: To solve your problem, you need to increase your offer by at least 10-fold.
Victim: Good morning - I understand you offer a 10% discount. Can you please discuss with your boss, the situation is not urgent, nor does the client require decryptors. We work with you in the past on many cases, this is not a matter where such high amount will work to benefit. $192,580 is a lot of money in this case but I spoke to the client and they were able after a lot of accounting investigation to increase the amount to $237,290. Since we are coming to weekend, in many places this is a long weekend and the response will be delay. I recommend if you can speak to boss to try and close as soon as possible.
Attacker: My boss is not interested in this amount.
You have a few days before publishing in the blog and in the media
Victim: your boss is not interested in $237,290. We understand, it is your decision.
Attacker: Friend, you shouldn't start this game, we know very well how much damage has been done to your client.
If it was insignificant, you would not write here.
If you have nothing more to offer, we have nothing to talk about
Victim: No games. Like I said, client is back to operations and no decryptors are needed. I am being upfront in terms of numbers. They cannot pay 10x of initial offer.
Victim: Not interested in wasting your time or mine.
Attacker: As we said earlier. Your proposal is not interesting
Victim: It took me over 2 days to convince the client to come back to the discussion. What can you do to get to a more reasonable number? Decryptors are not needed.
Attacker: It doesn't matter for us whether you need decoders or not, for us this is not an argument, one way or another you will get them
Victim: ok
Attacker: We have voiced our proposal to you earlier if you cannot approach it then there is no point in continuing the dialogue
Victim: sounds like you do not really want to discuss, I will update the client. Client will not pay what you are asking. 10% is nothing.
Attacker: We are ready to consider the issue of the discount again, but what you are offering sounds silly.
Victim: The client is an appliance retailer. they will use the money in a different way to protect employees so unless I get a more serious discount. otherwise you are right, this is not going anywhere.
Attacker: I have nothing more to add data will be sold and you must understand this
Victim: here is what you need to understand. No one will buy this info. You publish anything and we are done with this dance. The number you provided is not happening go back and get a better number that the client will consider or we are going nowhere. I am trying to tell you that they are willing to pay something, but your demand of 2.7mil after btc conversion is not worth the data you have.
Attacker: If this data is useless, what are you doing here? If you have nothing to pay so much for, then why are you discussing the price?
Either make an offer that will interest my boss, or the publication will be in 19 hours and the "dancing" will end.
Victim: I gave you an offer on the table which you choose to ignore and state its not interesting. Value is that you do not play silly games with your publishing, trying to protect employees. Anything else is meaningless. I can try to push to 350k.
Attacker: Not interested
Victim: ok
Victim: if your boss or you change your mind my email is: [redacted]@mail.com
Attacker: You shouldn't use the old tricks.
Leave your email with you
Victim: Had a final discussion with management, final price is 400k. Your answer?
Attacker: I must say right away that the amount is less than 1kk my boss is not interested
Attacker: If you agree, we close the publication and continue cooperation if not. I think you yourself know
Victim: Like I said, 400k is last amount. Publication is now 0$. I tried to explain to you how things are, but you decide you know better. Too bad.
Attacker: Okay my boss agree price update you can pay.
Victim: ok hold on I need to bring client back.
Victim: Ok we confirm the bitcoin amount to settle the situation. Thanks for updating price on site. We are working with a broker to get the bitcoins and do transfer within 24 hours.
Attacker: ok
Victim: Please confirm you will provide after payment:
1. Universal decryptor, and technical support in case of problems,
2. Detailed proof of the downloaded data - complete file tree of all of compromised data files,
3. Confirmation of 100% proof of permanent deletion of all compromised data from all your data storage locations and a shred/wiping log,
4. Confirmation that you will delete and will never publish any of the data or this chat or release the company name anywhere, including on your publishing Happy Blog/leaks site, or on the dark web or the Internet,
5. A security report on how company was breached, so we can prevent future problems, and
6. Promise to never again breach or attack company’s networks or websites.
Please confirm 1 to 6. Thank you
Attacker: Um no.
You said that your client does not need a universal decoder, so we will not provide one.
We confirm everything else
Attacker: The price is formed solely on the fact that you need to completely delete the data and everything from points 2-6.
For a decryptor, the payment will be much higher.
Victim: OK, understood. Thanks for confirming 2-6.
Victim: OK, understood. Thanks for confirming 2-6.
Attacker: Hello , are you ready to pay ?
Victim: yes, standby
Victim: OK, the transfer is confirmed. What is your timing on delivering the items above?
Attacker: wait for answer
Victim: Hello - what's your ETA? Thanks
Victim: Hi we are waiting for your reply?
Attacker: Hello we deleted all information about company
Victim: Thanks for confirming. Please provide the agreed items: 2. Complete file tree of all of compromised data files, 3. Shred/wiping file data deletion log, 4. Security report. Thank you
Victim: ??
Victim: Hi we are waiting for your reply?
Attacker: 1. Administrators must work in browsers in in-private mode
2. Administrators are prohibited from saving passwords in browsers
3. Administrators are prohibited from saving files with password lists on their computers or shared resources, as well as sending them by e-mail
4. All users are forbidden to open suspicious mail, punish with money. Allocate for this one computer without connection to the corporate network
5. Administrators work in virtual machines. Virtual machines must be in cryptocontainers
6. Configure firewalls so that administrator's computers do not have direct access to critical servers, but virtual machines have it (firewall rules and network ranges)
7. Limit the list of domain administrators. Split domain administrator password between security department and administration department (password is very long)
8. Delegate small roles to administrators for daily work (resetting passwords, creating users)
9. Use strong antivirus, Cylaence or Сarbon Black or Cortex (we do not advertise antivirus, think byr yourself)
10. Limit access to the Internet on servers and admin's computers. Create a terminal server in the DMZ and use the terminal browser applications
11. All suspicious letters with links should be sent to the IT department for verification on a stand alone virtual machine.
12. Configure mail filters to work with white lists. Anything that is not included in the whitelist must be moderated.
13. Prevent users from launching scripting programming languages (vbs, js and others) and unknown file extensions. If you doubt about openning link, transfer it to the IT department for verification on a stand alone virtual machine.
14. Open documents with macros only from trusted users. If you doubt about openning document, transfer it to the IT department for verification on a stand alone virtual machine.
15. If the user has launched a suspicious file, he should immediately contact the IT department.
16. Disable remote launch for powershell
17. Set 2FA Authorisation for network infrustructure. (Backups)
Attacker: The data was deleted automatically, we, for our part, did not have time to save the deletion log
Victim: That was not the deal. You confirmed you would provide the complete file trees and proof of deletion / shred logs. We are working on 3 other recovery cases with your group and now we have to tell all our clients and their legal, advisors that you are not following up on promises.
Attacker: ok
Attacker: Our team noticed that you have already started spreading dirty rumors to other companies.
So, look, if this continues, we are starting data recovery for all the cases that we have worked with previously.
Publishing all remote blogs and spreading information in the media that your companies (victims) paid us a ransom.
Don't consider yourself an almighty friend.
A new hacker worked with your case, who foolishly deleted the data after payment. This will no longer be the case, and rest assured that we do not store the data of the victims you paid for. Let's forget about this case and continue working. Don't try to fight.
Victim: ok