The REvil Negotiation: When Ransom Meets Reality
Ransomware talks are usually full of pressure and fear. Hackers make demands. Victims panic. Someone pays.
But a recent negotiation with REvil shows something different. The victim’s negotiator didn’t just plead. He pushed back. He argued. And in the end, he cut the ransom down from $7.5 million to about $1.27 million.
Setting the Stage: A Company in Crisis
The negotiator started with honesty. He told REvil the company was already in trouble.
“The amount of XMR requested to my client to get the decryption tool ... is huge and my client cannot afford to fully pay your claims. My client is trying to cope with this difficult situation, since it has been heavily struck by the current economic crisis ... with a dramatic fall of sales in the last months.”
He explained that sales had collapsed during COVID. Workers had been laid off. The business had been losing money for years.
Then he made the first offer: $500,000.
REvil Pushes Back
REvil called the offer a joke. They said it wasn’t serious. They gave a “discount,” but only if payment was fast. Then they warned:
“If no, we start publication data part by part to speed up you.”
This is the usual ransomware script. Deadlines. Leaks. Fear.
But the negotiator didn’t change his story. He kept repeating: the company just couldn’t pay that much.
Turning the Tables
REvil tried to use the company’s stolen financials against them. They uploaded reports and insurance documents, pointing to money they thought was available.
The negotiator flipped it back on them:
“Are you sure you are able to read the numbers? My Client has been losing money since 2010… I think you picked the wrong victim and the financial analysis you have performed prior to undertaking the hacking operations is absolutely wrong.”
Instead of looking weak, he made the hackers look foolish.
A Negotiator’s Boldness
Most victims try to sound scared enough to win mercy. Not here. This negotiator went on the attack.
“Maybe you will be able to understand that economics is not hacking and my client is not [redacted] nor [redacted]nor [redacted]...”
At another point, he told them flat out the stolen data wasn’t worth much:
“My client resells commodities ... with a B2B model, there’s no industrial secret to be protected. And again, please believe me that I’m not bluffing on this point.”
He wasn’t begging. He was lecturing.
The Break-Even Point
Then he introduced something new: a break-even number.
He explained that the company could rebuild its systems from scratch for about $800,000. Anything more than that made no sense.
“If my client pays a dollar more, it won’t be convenient for him.”
This gave REvil a clear choice: take less, or get nothing.
Shifting Ground
The hackers kept pushing. They dropped their demand to $5 million. Then $2.5 million.
The negotiator held firm. He even cited other REvil cases he’d worked on:
“This is the sixth time I bumped into REvil and my client has never paid more than 1 M USD.”
That was a bold thing to admit, but it made his offer look realistic.
The Final Stretch
The victim eventually pulled together $1.27 million. That was all they had.
REvil tried one last move. They asked for $1.5 million. But in the end, they accepted the $1.27 million.
They gave the decryptor, with simple instructions:
“To use a decryptor run it as administrator and turn off antivirus before.”
And in a strange twist, they even explained how they broke in:
“We find a login to https://remote.[redacted].com. After that we made a kerberoasting attack and decrypt admin hash ‘12qwer34’. That’s all. You need to use any 2fa solution for your citrix server.”
Hackers giving security advice—almost surreal.
Why This Case Stands Out
This wasn’t a normal negotiation. A few things made it unique:
- The negotiator argued hard and kept the story consistent.
- He used the hackers’ stolen data against them.
- He set a hard ceiling with the break-even point.
- He openly challenged their logic and even mocked their assumptions.
- He relied on history, showing that past REvil victims often paid much less.
REvil still got over a million dollars. But that was far less than what they first demanded.
Conclusion
Ransomware talks aren’t just about numbers. They’re about stories. Hackers assume you can pay. If you change that story—and make it stick—you can shift the outcome.
Here, weakness became a weapon. The negotiator used layoffs, losses, and even COVID as leverage. He made the hackers face reality.
And that’s the lesson: in ransomware, words can be worth millions.
Full Transcript
FULL TRANSCRIPT:
Victim: Hello guys,
I am the person in charge to negotiate with you on behalf of my client.
The amount of XMR requested to my client to get the decryption tool, the
files back available and not published in the dark web (I have seen
some exfiltrated data are published on your blog) is huge and my client
cannot afford to fully pay your claims. My client is trying to cope with
this difficult situation, since it has been heavily struck by the
current economic crisis due to the coronavirus pandemic, with a dramatic
fall of sales in the last months. My client’s net revenues amount to
EUR 500.000,00 in the last financial statement (2.5 billion as gross
revenues, which is a not relevant data if you guys are acquainted with
economics). The financial situation of my client has been catastrophic
since 2010, with a substantial decrease y/y in net revenues and gross
operating profits. The cyberattack you have carried out on my client’s
systems has blocked the company operation and all its internal
operations have been shut down including deliveries, and as a
consequence my client is not able to fulfil the market with its copper
products and get revenues. My client has already had to make budget cuts
and fire many of its employees or put them on unemployed insurance,
with devastating effects on families and children amid the economic
crisis due to Covid19. Therefore, it is impossible for my client to pay
you 7.5 million USD. According to my client’s financial condition, I
think he might be considering paying a certain amount in order to
protect his business and to obtain the decrypting tool for all the files
very quickly. However, such amount would be lower than the one you have
requested, due to the heavy financial situation. In my personal
opinion, my client has the financial availability to pay you 500.000 USD
very quickly. A greater amount would be very difficult (almost
impossible in my very personal opinion) to be paid because of the
current financial situation. Let me know on this point.
Attacker: Hello. We have deals with many companies every day, our pricing policy
takes into account the Covid19 crisis. Do not take cover by this, the
price is affordable for the company. 500k from a company like your is
not seriously, of course we can give you a discount that will depend on
the quickness of your payment, but price can't be too low as you ask
for. We hid the post from our blog for the talks. if we will have a deal
this information will not be ever published.
Victim: What kind of discount are you guys thinking about? My client is really
in a dire economic situation as previously said and I will try my best
to convince him to add few money on the negotiation table. However
adding money to his last offer would entail more budget cuts and firing
more employees, leaving families without livelihood in this dramatic
financial crisis.
Attacker: You have no chances with $500,000 or this level of amounts of money, even don't try bluf by this.
If you pay shortly, we accept $6,75M.
If no, we start publication data part by part to speed up you.
Victim: we are not bluffing and you do not know the financial situation of my
client. However I will get back to you as soon as my client gives me a
feedback on your so called "discount"
Attacker: https://www.sendspace.com/file/[redacted]
Attacker: [redacted]_Consolidated Financial Report 310320.pdf
Attacker: if you cant find your insurance manual. Here is it.
Victim: Oh well, so you guys are familiar with economics. Are you sure you are
able to read the numbers? My Client has been losing money since 2010. In
the consolidated financial report you exfiltrated you can see that in
the first three months of 2020 only the financial loss amounts to EUR
[redacted] M. And take a look at the net financial position as at 31 March
2020 which is negative by EUR [redacted] M. Moreover, look at bond trading
level (30% yield) that my client needs to repay:
[redacted]. The
financial situation of my client is negative. I think you picked the
wrong victim and the financial analysis you have performed prior to
undertaking the hacking operations is absolutely wrong. Look at the
chart herein attached and maybe you will be able to understand that
economics is not hacking and my client is not [redacted] nor [redacted] nor
[redacted] (the latter, just to remain in the [redacted] boundaries and a victim
you may know).
With regard to the insurance manual you guys have exfiltrated please
note that the insurance company Chubb does not cover the expenses
related to a ransom payment but only the expenses my client is is facing
for business interruption and recovery.
This being said, my client needs to resume normal operations as soon as
possible minimising financial losses due to inactivity caused by your
actions. So we need to find a trade-off between your requests and my
client’s capability to pay. Too much money requested and really my
client does not have that financial capability. My client understands
your position and aspirations but can’t reach that amount. Overnight I
convinced my client to add more money on the table. His offer now
amounts to 750.000,00 but this will entail more sacrifices in terms of
employment and debt repayment. People will be fired amid this financial
crisis but I guess you guys don’t care about people left without
livelihood.
If you guys don’t accept it, my client will set up the new
infrastructure without data. It won’t be easy but my client is pretty
sure to go back on the business within a few weeks. I mean my client is
making the argument that the cost to restart the new infrastructure
without data will not be higher than 700-800 k USD. That amount
represents the break-event point for my client. If my client pays a
dollar more, it won’t be convenient for him. So accept these 750 k USD
or set a new affordable price or get nothing. If you accept or if you
set a price which my client is able to meet, he will start the payment
process as soon as possible, after finding a trusted exchange.
Please stop the countdown as usual during the negotiations with your hacking group.
Attacker: Good morning. Sorry, but your offer still isnt interesting for us.
Companies with revenue like 10kk usually pays us this value. Comeback
later when you will be able to pay more. We can wait but your client
doesnt have enough time.
Attacker: If you think its easy to restore for 800k - go and do it. we dont care.
first dump will be full of your client net passwords, [redacted] email
dump, phone and password(that he use in many other services than your
network). next will be with clients info, NDAs, payment infromation and
technical specification of your production
Victim: Do you mean if we do not strike a deal in 1 day 8 hours and 41 minutes you will double the price requested?
Attacker: sure not
Attacker: i added you 7 days.
Victim: Ok guys. What I am trying to let you understand is that my client is
not in a good financial position and the financial statement you have
had to chance to read clearly testifies what I am saying. The production
plants are on hold and people are put on unemployed insurances and are
being fired. I know that you guys don’t care because your goal is your
personal profit. You carried out a perfect and clean job on my client’s
network I have been told and you clearly deserve to be rewarded for your
work. The issue is not if my client is willing to pay but how much
money my client can afford to pay without worsening his financial
condition and safeguarding jobs and families. This is the main issue.
You guys are considering the data exfiltrated as valuable data that may
cause a catastrophic reputational damage to my client if disclosed to
the general public. Well, this is not the case. My client is not
interested if you guys disclose [redacted] email dump or NDAs or whatever
document you have in your hands. The value of the data you guys have
stolen is irrelevant to my client. My client resells commodities ([redacted]) with a B2B model, there’s no industrial secret to be
protected. And again, please believe me that I’m not bluffing on this
point. You have read the documents you have stolen and you guys are
experienced in the field: I bet you haven’t found any information worth
USD 6.75 M. Any. So again, my client is interested in a quick restore of
its network. Analysts have estimated that to restore the systems from
scratch it will cost around EUR 800 k. Than there is the business
interruption which is also covered by the insurance policy you have had
the chance to read. If my client gets the decrypter, the network will be
restored faster and the business will restart in a matter of days.
Otherwise it will take longer but the costs incurred by my client will
be integrally covered by the cybersecurity insurance policy.
This being said, we are at a negotiation table. Your demands (USD 6.75
M) do not match our last offer (USD 750k ). We are way too far to reach
an agreement. You guys say that our last offer do not you’re your
expectations and to come back with a higher offer. But you guys have not
lowered your request and showed any availability to reach an agreement
and a win-win solution for both the parties involved. I mean, this is
not a negotiation. Are you guys willing to get a reward for your team?
What if I convince my client to put USD 1 M on the table? My client will
never pay you the amount you have requested, but with some sacrifice he
might be able to reach the USD 1 M threshold.
Attacker: You write a lot of text but all of this doesnt matter. Why ? [redacted] is ONE
of the WORLD's LARGEST manufacturers of [redacted]. Your
client spent some millions on recovery software and hardware for it, but
admins using passwords like "[weak password redacted]". But sure we cant take your 1M
offer because this is ridiculous. We are thinking that you are bluffing
and trying to make price so lower, but I understand it is just your job.
You working fine, price updated to $5M
Victim: hey, guys, thank for lowering the price.
Victim: I mean that being one of the largest corporations does not imply to be the richest. This is the point
Victim: If my client had the financial resources you think the IT department would be stronger and [redacted] systems would be more secure
Victim: [redacted] IT department has proved to be very very little in terms of
capacity and you guys have been good to leverage the vulnerabilities in
[redacted] network. But this is not the point
Victim: You are sure that [redacted] has the financial capability to meet your
demands. If you look at the reports as well as at the newspaper news you
can easily see that [redacted] is in deep trouble.
Victim: So I am not bluffing because I have been asked to keep the price as
lower as possible. I am an experienced negotiator, I undertook many
negotiations with REvil and I know how to talk with you guys. I know the
threshold I can or I cannot exceed. This is not the case. My client has
a very limited financial ability and I am not fooling you around
Victim: So please do reconsider your demands and go for a win-win solution as REvil usually pursue.
Attacker: If you have undertook many negotiations with REvil you have to know that much smaller companies pay more than your offer.
Victim: Well, it hasn't been my case fortunately! Yes, I confirm I have
undertaken many negotiations with REvil affiliates and I have not bumped
into a negotiation with a payment of more than 1 M. Two months ago a
REvil affilate attacked a very famous italian company. The intial
request was 7.5 M USD, with revenues like [redacted]. The deal was closed at
USD 750 K. You can ask REvil affiliates if I am not speaking the truth.
Victim: Moreover [redacted] does not give a shit about the data you have stolen, so I
have been told. So please reconsider you request and maybe we can find
an agreement.
Attacker: I think there were reasons for that, it is not for nothing that they
reduce the price to 750k from 7.5m, you are too mistaken in thinking
that the situation is the same here. I could cite cases when companies
with ten times less revenue paid 3M, or paids 100k only for one personal
computer, but it is not create rule, it is just an exception,
exceptions only confirm the rule.
Victim: I can see your point and I get it. I think I am not mistaken and the
situation is similar to the one I mentioned. I mean, the price paid
depends on many factors: 1) financial availability 2) ability to restore
the network without the decrypter 3) time necessary 4) consistency of
backups 5) profit loss for buisness interruption and so on. What I am
saying that this is the sixth time I bumped into REvil and my client has
never paid more than 1 M USD. But maybe they are exceptions that
confirm the rule.
Attacker: Other Data Recovery Companies has never clients with paid more $5,000,
but it is not means we will agree for $5,000 in case like this.
Victim: The situation is the following: 1) [redacted] has a very limited financial
availability. 2) [redacted] is already working on network restoring (costs will
be covered by the insurance policy) 3)the time necessary to restore the
network from scratch will be almost 12 days 4) there are backups
available on LTO tapes 5) the profit loss for business interruption will
be limited and covered by the insurance policy
Victim: I get your point but [redacted] offered USD 1 M clean, not 5 k$.
Attacker: In view of this situation, $ 5M is reasonable.
Victim: [redacted] does not have $ 5 M. I can try to convince the client to add more
money, but there no cash flow to pay the amount you have requested.
Attacker: Of course. Because $1M too low.
Victim: I know that the amount offered does not meet your expectations. What's a
reasonable amount for you?Take into consideration what I have just told
you in this talk
Attacker: Our offer $5M
Attacker: Waiting for your...
Victim: Talk to the client and get back to you in a while
Attacker: ok
Attacker: good morning. do you have new information for us?
Victim: Yes. Talked to the client and they shared that profit margins on
revenue that is generated is tiny, and due to the lack of business
having actual cash to turn into monero is hard to come by. They
understand you ask more money, but they wanted me to let you know that
they are having a hard time coming across more money. Now they have
access to USD 1.27 M in cash, but it won't be available until Monday
since they can't send money with the banks closed.
Attacker: We have good news to you, price $2.5M for this deal. We prefer Monero,
but provide you bitcoin payment method to make it easier for you. But
there is a nuance, if you pay in bitcoins, the additional commission is
10%.
After payment we will fulfill all agreements with decryption, will
provide any supports, delete the data from our servers and will provide
you short report on how you were hacked, keep in mind we still have
access to the network and watching for any movements.
Attacker: Refresh the page to see changes
Attacker: hello. are we waiting for your payment today?
Victim: Hi guys. Sorry for being late but my client took his time over the
weekend to have internal meetings in order to respond to your last
request. Notwithstanding my client has strived to find more budget to
pay your claims, there is no more money available to be put on the
table. The financial condition of my client is terribile and you know it
and the economic situation of Italy has been catastrophic since a
decade with impactson [redacted]. My client can't afford to take away anymore
money from the budget needed to run the company operations and to pay
employees salaries. It has been a difficult decision and my client is
fully aware that this decision could stop the negotiation with you guys
and that consequently he won't get the decrypter. However my client has
reached the maximum cap and the costs he might face without the
decrypter are, according to cybersecurity analysts and loss adjusters,
close to $ 1 M. So this is it. Let me know.
Attacker: If I understand correctly, your last offer is $1.27M, if we will agree, how many time do you need to make the payment?
Victim: Yes, correct. We will need about a day since buying Monero takes time, especially when we use a broker in the USA
Attacker: Okay guys so medium price between your offer and our waiting is 1.5kk.
price updated for 48h and it is final call. Write a message when you
will start exchange for lock xmr rate.
Victim: Client again took some time to think about to your last offer. Due to
the fact that Monero has high transaction rates (around +10%), my client
is willing to pay you 1.27 M within the next 48 hours. Client is not
able to fully meet your demands as you know and understand. Let me know
if this is ok for you and client starts the payment process.
Attacker: ok. price updated.
Victim: Please do confirm that the decrypter is general and works for each and every system you guys have encyrpted
Attacker: Yes. general decryptor works for all system that was affected
Attacker: how much time do you need to make this payment?
Attacker: hello?
Victim: Be patient, we are working on it. Expect the payment very soon, a matter of hours.
Victim: Can you lock the Monero price for us? We are placing our order now.
Attacker: Ok. Freezed
Victim: Payment sent.
Attacker: Waiting for 10 confirmations by Monero network
Attacker: To use a decryptor run it as administrator and turn off antivirus before.
You can use a decryptor as gui application or through cmd.
CMD commands:
dec.exe -full
dec.exe -path "C:\folder"
dec.exe -file "C:\folder\file.txt.random_ext"
* decryptor with -full option will decrypt all with default params.
If you use it as gui application, I recommend you choose "create
backups" option. If you use decryptor without this option, you should
not interrupt decryption process, otherwise some files will be
irreversibly damaged.
How it works with "create backups" option:
1. Decryptor looking for encrypted file
2. creating backup of file
3. decrypting file
4. removing the backup
5. looking for a next file and loop repeating.
You can collect list of extensions, input to the textarea above the chat
and click "Download" to generate General decryptor to decrypt files
with these extensions.
But this way is not necessary, because we provide you the universal
decryptor. It just works little slowest but you don't need collect
anything, just download it and use on any system with admin rights,
DOWNLOAD:
Victim: Hi guys, thanks for reciprocating with decryptor. During our talks, you
told me that in case of ransom payment you would have given my client a
sort report on how my client was hacked. Can you please provide such
short report? My client is very interested about it and I think that
after the successful transaction he deserves to know the entry point and
how you gained privileged access to the network. Thanks for
cooperation!
Victim: hello?
Attacker: Hi. We find a login to https://remote.[redacted].com
Attacker: After that we made a kerberoasting attack and decrypt admin hash "12qwer34". That's all.
Attacker: you need to use any 2fa solution for your citrix server.
Victim: Thank you guys. One last question, did you guys buy the citrix server
credentials on the dark web? Or did you obtain the credentials in
another way? You know, it is important for my client to understand in
order to prevent future attacks from other ransomware gangs.
Attacker: yes. we buy it. somebody of your clients employee was infected but not by us.
Attacker: that's why i said to you that your client need to use 2fa on citrix server.
Victim: Thanks. Since you guys have been so available to answer my question,
can you please tell me which is the account whose credentials you have
purchased? It is very important for my client to ascertain
responsibilities of the security incident
Attacker: sorry. i cant give you that information.
Victim: Hello guys, sorry to bother you. But since the chat is still open I
need one more info from you. It's very important for my client to get
the full file tree and the list of the files you have exfiltrated, as
well as the logs of the delete operations of such files. Can you help
me?
Attacker: Hello. We don't store even list of files of companies which paid, and as log file too