Two Weeks Inside: REvil's Ransomware Victim Fears Chat Leaks

Summary of What Happened
The attacker known as REvil says they've broken into the victim's network, stolen 500 GB of data, and encrypted some systems, including ESXi servers. They want a multimillion-dollar ransom and threaten to leak the data if it’s not paid. They also mention they’d been in the victim’s network for over two weeks before anyone noticed, which shows they had plenty of time to gather information.

The victim asks for proof of the stolen data, tries to negotiate for a lower ransom, and points out they’re worried someone might be watching the negotiation chats. They're especially concerned since the ransom note was uploaded to VirusTotal, which could easily lead to more visibility. To keep things quieter, the victim wants to switch to a more private way to chat. REvil agrees and suggests taking the conversation to a new, more secure chat after they verify each other. Negotiations continue with no confirmed resolution.

Audio Overview

0:00

/666.696

1×

Import Facts

• Ransomware Group: REvil
• Duration: Approximately 2 days of active communication
• Total Messages: 79
• Paid: No (no evidence of payment has been indicated)

Key Notes

Initial Contact and Ransom Demand

• REvil claims to have exfiltrated 500 GB of sensitive data.
• They provide partial proof (screenshots and sample files) to demonstrate the seriousness of the breach.
• The victim inquires about the data and potential recovery options (e.g., decryptor).

Threat of Data Publication

• REvil repeatedly threatens to publish stolen data on their blog if demands are not met.
• The group underscores the impact of such disclosure on the victim’s reputation, shareholder confidence, and potential legal consequences.

Victim’s Financial Limitations

• The victim’s board initially offers $800K, which REvil rejects as too low.
• REvil references previous cases where organizations paid significantly higher amounts.
• Negotiations stall as the victim cites internal board approvals and exploration of alternatives.

Restoration of Files

• The attacker warns against using third-party data recovery solutions.
• They claim any unauthorized decryption attempts may compromise the victim’s ability to recover data with REvil’s decryptor.
• The group promises a working decryption key if the ransom is paid.

Attacker’s Reaction

• REvil emphasizes the damage that could arise from public leaks (e.g., regulatory issues, reputational harm, lawsuits).
• They mention that partial publication of data often compels companies to pay quickly.
• REvil insists on certain “algorithms and deadlines” for negotiation, threatening to double the ransom if no swift agreement is reached.

Final Agreement

• The victim attempts to move the conversation to a private channel to avoid external monitoring.
• Both parties remove references to sensitive company details in the main chat.
• At the last point of communication, no final ransom figure is settled; negotiations are still ongoing.

Notable Quotes

Original Chat Logs

Victim: In the ransom note, you stated that you took 500 GB of information, can you provide us examples of this information

Attacker: Hello.
If you are satisfied with the screenshots of the folders, we will provide them to you within a few minutes.
Or we can provide you with a link to some of your data for review. But it will take about an hour.

Victim: we will take both

Attacker: Good. 10 minutes and we will provide you with screenshots.

Victim: Thank you. we will wait for file samples as well

Attacker: ok
Attacker: We would like to draw your attention to the fact that we did not delete
data from your ESXI servers. The information is also encrypted there.
If we make a deal, we will give you a decryptor so that you can restore
the servers.
Attacker: But we do not guarantee recovery if you carry out any manipulations with these servers.

Victim: Understood

Attacker: Good. This also applies to other files outside of ESXI.

Victim: please send the sample files when ready

Attacker: We have started transferring some of the data to the new server so that
you can familiarize yourself with the data. It will take some time. In 5
minutes you will be able to get acquainted with what we have already
transferred for you.
Attacker: We will upload files here for review.
The link is available through the TOR browser.
Some of the data is still in the process of being copied.

Victim: Thank You

Attacker: We've finished copying the sample data for you.
Can you please tell me, are you only interested in data files or are you also interested in the decryptor?
As we already wrote before, we strongly discourage using third-party solutions.

Victim: 3rd party solutions? Is there different pricing for breaking it apart?

Attacker: 3rd party solutions - Various programs, the descriptions of which say
that they can recover data, but this is not the case. Typically, the use
of such third-party programs leads to the fact that our decryptor can
no longer recover your data.
Attacker: If you are ready to move on to the deal in the near future, then we can
provide you with a discount. If you do not need a decryptor, then the
discount will be slightly higher.

Victim: I understand now on the 3rd party solutions. thank you
Victim: Thank you for providing the details. I am discussing with the board

Attacker: Good. We will be in touch.

Victim: Our board is having issues with the quantifying the 500 GB that has
been taken. To help them out, is there a certain IP or something I can
hunt for to quantify this on the exfil side. Based on this, then the
board should be in a position to discuss options.

Attacker: Do I understand correctly that you do not need a decryptor?

Victim: That is incorrect. We are still understanding the damage caused to the organization.

Attacker: This is just business, it makes no sense for us to lie or not fulfill
obligations. If we do business this way, there will be no profit for us.
In fact, you question is very strange - we think that the provided data
is already enough to understand the seriousness of your problem. it's
all about your reputation and possible damage to your customers.
We have been in your network for more than 2 weeks and we think you
understand that there was enough time to download even more information.
You can also read about REvil on the Internet and find out that 500
gigabytes is a small leak, since sometimes several terabytes of data are
downloaded.
And also you will find out that if we can't reach the agreemnt, then we will have to publish some of the data in our blog.
You should also know that in 5 days the amount will be doubled.

Victim: Thank you for this as providing this explanation
Victim: We have performed the research that you requested. In addition, we have
studied ransom payments from various third party sources. The board is
asking for you to consider $800K for the package to gain consensus. Can
we agree to this amount?

Attacker: Do you want us to give you a discount of more than 90%? Of course this is impossible.
I will give you a small example. The company is close to your profile,
the annual turnover was 2.5 times less, as well as we had 2 times less
data and we have already published some of the data in the blog - as a
result, this company paid 4 million.
They also did not need a decryptor - they were able to recover from the backups that we missed.
Next comes simple math.
What you read is either small companies or information with understated
amounts. Most companies do not advertise the fact of hacking and
payment.
Attacker: Apparently you do not realize the seriousness of the situation and the consequences.
Loss of reputation
Loss of clients and possible litigation with them.
Financial losses due to downtime that can take a very long time.
Your data will also be seen by your competitors
The stocks in the market will begin to fall, and this is clearly not to your investors' liking.
And much more.
You are a big, serious company - be realistic.
Attacker: If you are ready to seriously discuss the deal in the near future, then we will be ready to slightly reduce the amount.
If your new proposal is again frivolous, we will have to prepare a blog post with the first part of the data.

Victim: We want to seriously discuss this and as you said, this is a business
deal so please give me something to work with and I will discuss with
the board and come back to you.
Victim: if we work together I am sure we can gain consensus
Victim: here is one article as part of our research
https://REDACTED
Victim: again we want to gain consensus

Attacker: I recommend that you do not trust such reports.
We don't know what information the Coveware report was based on.
How many companies are using Coveware?
What is the size of the company and what is their revenue?
Was there a data leak?
Or was the company able to recover on its own and the company was interested only in non-disclosure?
Company profiles?
And much more.

We also recommend that you be extremely careful when contacting a company like Coveware.
As practice shows, the task of such companies is to make money on the client's problem. Most often they use payment per hour.
Therefore, they usually start to play for time during negotiations and thereby pull money from the client.
They won't care about your data. And if the deal does not take place,
then the data is published and companies like Coveware will do it anyway
for this fact - they will still make money.
They are often too confident that we will agree to any amount and will
not publish the data, but you can take a look at our blog and see how
many companies they faked in this way.
It is also a frequent case when we publish the first part of the data -
companies immediately go to the deal, understanding how serious
everything is.

Returning to the topic of statistics of payments and amounts - as you
understand, the companies that ignite do not want publicity, so you
rarely see news that the company paid 5-10-15-20 million. But this
happens.
Here is a public example for you, to which we have nothing to do, but I think the meaning will be clear:
https://REDACTED

This is a public event. The company did not want to pay, after which
part of its data was published and as far as I know - after that the
company quickly agreed to the deal.

I could provide private evidence of other multi-million dollar deals, but of course I won't.
We do business with integrity. All the more would you like it if in the
future we would tell other companies about your case? If we come to a
deal, no one will know about it, otherwise you will be another example
for our other companies.

As for the amount.
I think you perfectly understand that you will incur large financial
losses. You are already losing money and I don’t think you want it to
continue like this. And now we are only talking about easy to work with.
But do you understand that there will be other losses?
Clients will find out about what happened to you and find out that their
data has been published, including confidential. Including problems
with their projects. I think it is not easy for them not to want to
continue working with you, and they will also sue you. And probably it
will also go about millions of claims.
So what happens if competitors take advantage of the data we can publish?
How will investors react to this?
Believe me, there is enough data for the company to incur more serious losses and they will exceed the amount requested from us.

We are not the first day in this business and we can conditionally
calculate how much the company can and will be willing to pay. As well
as possible losses of the company. Therefore, we offer an adequate
amount and it does not include the discount that we can offer if the
company conducts a correct and serious conversation, and is also ready
to conduct a deal up to double the amount and publish the first part of
the data.

We are still waiting for a serious offer from you. Keep in mind that
tomorrow we will be preparing the first publication for our blog
regarding your company - we are going to publish it on Friday if we do
not come to an agreement. The blog is followed by many media and as soon
as a new entry appears there, after a few hours it appears on many news
portals.
Attacker: A link to our blog where you can check out the leaks of other companies that didn’t make the deal:
http://.onion

I also recommend that you familiarize yourself with this material in order to avoid mistakes:
http://.onion/posts/[redacted]

Victim: Thank you for providing this and I will discuss with the board
Victim: As we are chatting in good faith, we would like to keep our
conversations private. Can we setup a private chat as others might be
viewing our conversation
Victim: The ransom note was uploaded to VT; therefore, I am concerned someone
could download and monitor. I am authorized to negotiate for the
company.
Victim: [redacted]@gmail.com

Attacker: We will not be able to link the gmail account with the your company.
LinkedIn account or Facebook of an employee or company?
Phone call?

After you provide us with a contact for communication, we will remove it from our correspondence so that no one can see it
Attacker: We removed from the chat all the message where the name of your company
was mentioned, as well as screenshots of the data, by which it was
possible to determine which company could be discussed. We are waiting
for your contact information to switch to another chat.

Victim: I am stepping into a board meeting and will get the information you desire for verification.
Victim: the phone will not work as those are down due to your encryptor

Attacker: Okay. Let us carry out verification via Facebook or LinkedIn.
Attacker: We can provide you with a new private chat without verification, but if
we are confused by the correspondence in it, we will return to the main
chat, where we are currently communicating.
Attacker: Let me know as soon as you are ready to receive a password and instructions.
After that, write to us in a new chat and we will remove the password and instructions from the main chat.

Victim: Here is our proposal to link to the gmail account. we noticed that you
used the [redacted] account to pivot in the network. Is this verification
enough to send this to the gmail account

Attacker: Yes, that will be enough.
Attacker: did you receive instructions and password?

Victim: yes...
Victim: I entered in the password
Victim: Please destroy the other chat support
Victim: and we will do our conversation here
Victim: please confirm when complete

Attacker: Why do we need this? We have removed all information that could help someone identify your company name.

Victim: the proofs are still in the chat window
Victim: apologies for the extra steps as we gain consensus

Attacker: Write to me where the evidence is left and I will delete it.
Attacker: I see screenshots. I removed them.

Victim: kill the onion link
Victim: to the directory

Attacker: Ready

Victim: Thank you

Attacker: I think we can start discussing the deal.

Victim: The board is still reviewing the information you provided and contemplating an offer back

Attacker: Good. We are in touch.
Attacker: How are things going into the negotiation of the deal? Your time is
coming to an end. If by tomorrow we do not agree on a deal, we will
publish the first post on our blog. And also discounts will cease to be
relevant. And we will already be discussing the next discount from the
doubled amount, and as you understand, the amount in the end will be
more than 9 million.

Victim: You ask for a lot in a short period as many people are discussing
options. Being your advocate and to gain consensus, you should realize
that this takes time and to post early does not help this business deal.
As the board is considering options, do you have a new number so I can
take to them board.

Attacker: We all perfectly understand, but there are certain algorithms and
deadlines in our work, which have proven their effectiveness more than
once.
Attacker: "As the board is considering options, do you have a new number so I can
take to them board." - what number are we talking about?

Victim: The amount for the package. You ask for $9M. I trust to gain consensus the discounts to which you speak of can be factored in

Attacker: If in the near future we come to an agreement, then I think we will be able to provide a discount of 10-15%.
Attacker: But we will discuss the discount specifically when we receive an offer
from the company. We do not recommend offering understated amounts - you
must be realistic. Otherwise, as practice shows, negotiations are
delayed, which leads to publications and an increase in the amount.

Victim: As your advocate, I understand your position. A few questions from the board

1. the data you have taken - how do we receive it back
2. do you explain how you took the data and got into our company
3. what guarantees do you provide that you will not attack us again
4. what assurance do we receive that the data does not leak in 6 months from now (how do we know that you destroyed it)
   Victim: 5) what if the decryption key does not work - do you provide some type of support

Attacker: 1) You can recover this data using the decryptor anyway. But if required, we will provide you with a link to all your data.
2) Yes, we will provide you with information on how we got into the company's network and how we got access to all the data.
3) We don't do that kind of thing. This will ruin our reputation. We
will give you recommendations on how to avoid repeated intrusion (from
other teams).
4) Why will we not save them - why waste resources on this? As soon as
we receive payment, we will delete the data from all backup servers and
it will remain on only one server so that you can download it if you
need it. Then we will remove them from there.
This is a business. If we leak, we will ruin our reputation and other companies will not pay us.
5) Our software is time-tested. This will not happen if you have not tried to restore data using third-party software.

Victim: Thank you for this. I will provide to the board. I do not know what
time zone you are in, but i suspect the board will provide me guidance
in the AM. I do not know if you take a rest in your business

Attacker: Good. We will be in touch.