“We Apologize, Here’s a Free Decryptor” — Ransomware Group CIS Exclusion Policy
Summary
The chat logs show a ransomware negotiation chat logs between the victim and the Avaddon group. They kicked things off by asking for 300,000 dollars to decrypt the stolen data and threatened to leak sensitive info if the victim didn’t pay up. The victim, who was a small company in Armenia, said that amount was just too much and tried to negotiate for a much lower sum, but Avaddon wasn’t having it. After a long round of talks and threats to double the ransom, Avaddon then came back saying they have done a mistake and actually don’t deal with CIS countries like Armenia and actually gave the victim a free decryptor and a strongly apologize. On top of that, the attacker shared some tips for boosting network security and advised the victim to run penetration tests and update any weak services.
Important Facts
- Ransomware Group: Avaddon
- Data Exfiltration: Claimed to have downloaded critical data, threatened publication on their leak site.
- Restoration of Files: Promised decryption and removal of data from their servers after payment. Eventually provided a free decryptor due to jurisdiction restrictions.
- Data Leak Threat: Threatened publication of stolen files if ransom was not paid within a deadline (66-67 hours), with price doubling afterward.
- Duration: Negotiations spanned several hours to days with gradual escalation and eventual resolution.
- Total Messages: 69
Key Events
Initial Ransom Demand:
Avaddon demanded $300,000 for decryption, data removal, proof of deletion, and a security report.
Victim’s Financial Constraints:
The victim, from Armenia, stated $300,000 exceeded their three-year budget and offered $3,000, which was rejected.
Negotiation & Discount Offer:
Avaddon offered a 50% discount lowering the price to $150,000 if paid within 67 hours, warning that the price would double afterward.
Victim's Counteroffers & Attacker’s Threats:
The victim offered lower amounts ($15,000–$20,000), which were declined with threats of data leaks, DDoS attacks, and reputation damage.
Involvement of Victim’s CEO:
The CEO joined the conversation to negotiate but was still faced with a minimum ransom demand of $150,000.
Threat of Price Increase and Urgency:
The attacker pressed for payment before the deadline, warning that the price would double if ignored.
Jurisdiction Policy & Free Decryptor:
Avaddon revealed their policy not to operate in CIS countries (including Armenia) and provided a free decryptor for the victim’s network together with an apology.
Security Advice Given:
The attacker advised the victim to conduct penetration testing, update vulnerable services such as Microsoft Exchange servers, and improve password security.
Closure:
The attacker asked if the victim reported to police (indirectly), received reassurance, and ended the conversation amicably.
Notable Quotes
Full Chat Logs
Attacker: Hello from Avaddon Team. Price for you is
$300,000. We have downloaded a lot of critical data, which will be
published on our news website (http://redact.onion) if you do
not make a payment. After the payment we will decrypt all your systems,
give you listing of files that we have taken, remove data from our
servers and give you proofs of deletion. Also we will provide you with
security report, so you can fix all your vulnerabilities and be safe
again.
Attacker: We are ready to talk to you and discuss on this matter ....
Victim: hi
Victim: is anyone here?
Attacker: Hello!
Victim: wnat to talk to you about this situation
Victim: your price is very expensive for us
Victim: 300.000$ is our 3 year budget
Victim: tell us the real possible price and we ready to pay
Attacker: How much can you pay at most?
Victim: give me 5 minute
Victim: i will talk with my chief
Attacker: ok
Victim: redy to pay 3000$
Attacker: This is a joke?
Attacker: Your price is $ 300,000.
Victim: 300.000$ is a joke
Victim: becauuse we havn't this amount of money
Victim: 3000$ we can pay or go ahead to reainstall all our systems
Victim: search on map our country Armenia
Victim: 300.000 is out country budget how we can pay this kind of money?
Attacker: Perhaps the price is too high for you and we are ready to make a small discount.
Attacker: But on $ 3,000 we will never agree.
Attacker: Reinstalling all systems and restoring the
workflow will take a very long time and you will incur heavy losses. The
best option would be to pay and get back to normal quickly.
Victim: yes you are right
Victim: we will lose money while trying to
reainstall all systems and getting back informtion from external backups
Victim: but don't lose so much as you want
Victim: 3000$ ready to pay, agree or not?
Attacker: We have a lot of your important files that
we will publish on our blog if you do not cooperate with us.
Victim: I know all this
Victim: but we havn't money!
Victim: what can we do?!
Attacker: You will never be able to get your files
back without our decryptor! Only we have a unique key to decrypt your
files. Don't waste time and money trying to decrypt files yourself.
Victim: I know that very well
Victim: I comunicate with you before
Victim: I know all this processes
Victim: and now that we cant decrypt our files
Victim: we just can reinstall all systemss and restore backups but it will take too long for us
Attacker: We are ready to make a very big discount for
you. If you pay within 67 hours, we will offer you a 50% discount. Then
the price will again be $ 300,000.
Victim: so we ready to pay as much as we can
Attacker: Now you need to pay $ 150,000.
Victim: what's your name?
Attacker: It does not matter.
Victim: you know our country?
Victim: how the small firm in Armenia can pay you 150.000?
Victim: my house cost 15.000$ in all
Attacker: Sir, you are offering us a ridiculous price,
it does not suit us at all. Before we set you a price of $150,000, we
analyzed your profitability and your capabilities in general, this price
was taken not from the sky, but according to specific criteria, and by
analysis.
Victim: what can I say, your analysis is wrong...
Victim: last time a year ago I paid 1700$ for your decrypting key
Attacker: And we will tell you that $ 15,000 is still
not enough, and we do not agree to such a small amount. Suggest more or
we will use other methods. We can share your financial statements, your
employee and customer data, and more in the public domain. Use DDOS. We
can completely ruin the reputation of your business. Then you will have a
lot of problems and you will suffer a lot of damage. You choose ...
Victim: I don't event suggest 15.000$, because I havn't
Attacker: We want to talk to your boss.
Victim: I called him, will be here in 15 minutes
Victim: Hi, I'm CEO
Victim: my name is [redacted]
Victim: ready to cooperate with you ...
Attacker: Hello, [redacted]!
Attacker: Are you already aware of the situation?
Victim: yes, of course
Victim: but unfortunately your requirements are in not compatible with the budget of our company ...
Attacker: How much can you offer? As we already wrote,
the amount of 15,000or15,000 or 20,000 does not interest us.
Victim: :)
Victim: and how much you want if you don't agree with 15.000 or 20.000?
Attacker: You're not serious! You do not understand
the magnitude of the problems for your company. Are you ready to incur
losses and ruin your reputation or will you cooperate and offer a higher
amount?
Attacker: We have already offered you a very large
discount, which we do not do for other clients. We have made a 50%
discount for you.
Victim: I asked how much you want?
Victim: I perfectly understand all the risks
Attacker: The price for you is $ 150,000.
Attacker: After the expiration of the time, the price will double and then it will be $ 300,000.
Victim: it's not serious my company is not able to
pay you that kind of money let my IT specialists stay awake for several
days and restore archives or pay you this money as they want
Victim: by
Attacker: You cannot recover files without our unique key.
Attacker: You have 66 hours to start working with us or you will have a lot of problems.
Attacker: After 7 o'clock your amount to double. This is the last chance to pay at such a low price.
Attacker: Hi guys are you there ?
Attacker: Contact us if you see this, it looks like we have a misunderstanding.
Victim: hi
Victim: what you mean?
Attacker: Sir, we found out that one of the branches
of your network is located in Armenia, our policy of work does not allow
working in the CIS countries, so we will give you a decryptor general
with which you can decrypt your entire network. We strongly apologize
for this unpleasant incident and would like to say that we will help you
restore your systems even if you have any problems.
Victim: really? this is a great news
Victim: despite the fact that we already recover
most of our information, we will be thankful if you give us the key
Attacker: You can download the decryptor.
Victim: from where? give link please
Victim: is it free software?
Attacker: http://redacted.onion/[redacted]/buy
Victim: look like it's work...
Victim: can you also help us to understand how you did that?
Victim: we want to found out loophole in our network
Attacker: Weak passwords.
Victim: but how you could come in to our network?
Attacker: I will clarify this point.
Victim: we will wait for your clarifying ant will be very thankful for your support
Attacker: Ok
Attacker: You guys should do penetration tests more
often. Hire a professional company and they will find all loopholes in
your network. It will cost you few ten thousends but you will be safe.
Attacker: Update all services with outside internet, especially Ms Exchange server.
Victim: you used zerologon exploit ?
Attacker: We cannot say anything more for security reasons for personal purposes.
Victim: ok , we understood , thanks for information ,
we will upgrade our exchange server and do several things for security
Attacker: Ok guys, excuse us again, I hope you didn't report this to the police? :)
Victim: ))
Attacker: What does it mean ?:)
Victim: don't worry about that
Attacker: Ok sir , good luck