Sign in Subscribe
Negotiations

Three Words That Ended a Ransom Demand: “We Are Restoring.”

Sean

5 min read
Three Words That Ended a Ransom Demand: “We Are Restoring.”

Ransomware attacks are more than technical problems — they’re emotional standoffs. Behind every encrypted file lies a tense back-and-forth where fear, patience, and control collide.

The transcript of a conversation with the ransomware group reveals how these negotiations really unfold: one side tries to intimidate, the other struggles to stay composed.

The Opening Pitch

The conversation starts with a short, formal message from the attacker:

“Hello and welcome to <Redacted>. How may I help you?”

The politeness is deceptive. Within seconds, the tone shifts.

“To decrypt your files you have to purchase the decryption software. It costs $15m for you.”

It’s a bold opening — part threat, part sales pitch. The attacker sets the price high to assert dominance. But the negotiator doesn’t flinch.

Standing Ground

The victim replies carefully, refusing to confirm details about the company or share identifying information. They explain that they’re only a representative and don’t want to discuss sensitive data in an unsecured chat.

The attacker becomes suspicious:

“We have doubts you are from company. We need the proofs that you are from there.”

The negotiator pushes back, trying to move the conversation forward:

“Yes, let’s talk about price and what you get for our data.”

This marks a key shift — from emotional reaction to practical negotiation.

Finding Leverage

The victim mentions they have backups and can recover systems, even if it takes time.

“We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible.”

That single sentence changes the balance of power. The attacker realizes they’re not dealing with a helpless target.

Now the negotiator offers $1 million — a fraction of the original demand.

“The data you hold is worth no more than $1,000,000. A higher price is not acceptable.”

By naming their limit, they turn the ransom into a standard business negotiation, not a desperate plea.

The Pressure Game

When logic fails, attackers often turn to emotion. Here’s where the conversation takes a darker turn.

“One of your competitors was hit the same yesterday if it helps to your feelings.”

It’s a calculated attempt to raise concerns — to make the victim feel isolated or behind. The attacker even adds:

“By the way, they offer much more than you.”

But the response is calm, short, and confident:

“We are restoring.”

No panic. No fear. Just quiet defiance. Those three words end the psychological game.

Reading the Table

This transcript shows more than a price negotiation. It’s a high-stakes poker game. Each side is bluffing, watching for tells, and testing how far the other will go. The victim doesn’t win by showing all their cards — they win by staying calm, reading the room, and knowing when to call the bluff.

Backups play a huge role here. Without them, the victim would have no choice but to pay. With them, they can stall, push back, and ultimately reject the deal.

Equally important is tone. The negotiator never resorts to threats or pleading. They keep the conversation factual, short, and unemotional. Every response builds a wall against manipulation.

The Takeaway

At the end, the chat fades out not with agreement, but with quiet resolve.

“We are restoring.”

It’s not just a status update — it’s a statement of control. The company isn’t broken. It’s rebuilding.

That’s what resilience looks like in the face of extortion: calm, patience, and preparation.

Full Transcript

FULL TRANSCRIPT:

Attacker: Hello and welcome to <Redacted> How may I help you?

Attacker: To decrypt your files you have to purchase the decryption software. It costs $15m for you.

Victim: I am a spokesperson for the company and I will sell the information to my customer. Because this is not secure communication, I do not want to state the name of the company and I assume that we will delete this chat after the meeting.

Attacker: We have the doubts you are from company we need the proofs that you are from there.

Victim: If you want to pay, then this is the only way to come to an agreement. So that emotions are not used in the negotiations, I am here as an intermediary. My client doesn't want to negotiate, even though it seems to be the only option. Although they have backups, but the restoration will take some time, so I would like to negotiate an adequate price.

Victim: If you do not want to cooperate, then I will pass this information on to the customer and the media to make it obvious that <Redacted> are a group of crooks.

Attacker: To start a cooperation, we have to know with whom we a dealing and you failing it. So far you looks as some boring guy who got a sample from virus total and obtained the chat link.

Victim: Actually I don't have much time to deal with authorization. I want to help the customer and negotiate the terms of cooperation. Just because anyone can watch this chat, I don't want to share any information and prove that I am who I am. Do you want to negotiate the price?

Victim: I certainly don't feel like fucking with you. I want to talk and get this thing resolved as soon as possible.

Victim: Yes, let's talk about price and what you get for our data. Then we can discuss the price of the decryptor.

Victim: Oh, I see. So how do we do it?

Victim: 2) administrator

Attacker: Ok, John thank you. So you see the price, you need to pay it.

Victim: Are we really not? This account was sent by their owner. If we don't make a deal, I'm gonna look like an idiot.

Victim: The price is not adequate. Give me a price I can pass on to the owner of the company.

Attacker: Do you want me upload a sample with office documents? The emails and sqls are too big but we have them all.)

Victim: Do you also have the passwords of the domain users? Give me a screenshot.

Victim: We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible. What databases do you have?

Victim: Data in databases should be encrypted. Just because you have database servers doesn't mean anything.

Attacker: To complicated, we said what will provide if we’ll agree on price. $700k is unacceptable.

Victim: The data you hold is worse for us than having to recover it. The data you hold is worth no more than $1,000,000, which is why we are offering this price. We can restore the data from offline backups (we have tested this). A higher price than $1,000,000 is not acceptable to us. If you don't accept this price, then I need to check with the owner of the company what we will do next and if we can offer more money.

Victim: We evaluate it subjectively. We have already written to people about PII, so the reputational impact has already occurred. We're gonna put new passwords in Active Directory. Office documents aren't that valuable to us. The only thing of value is the databases.

Victim: I understand, but for us only the know-how and customer information in the databases is worth anything.

Attacker: One of your competitors was hit the same yesterday if it helps to your feelings.

Attacker: By the way they offer much more then you.

Victim: We are restoring. I'm gonna go talk to the management.

Sign up for more like this.

Enter your email
Subscribe