Sign in Subscribe

Who Said That? The Confusion of a Ransomware Attack

Sean

5 min read
Who Said That? The Confusion of a Ransomware Attack

Ransomware attacks are happening more often, and they’re hitting all kinds of organizations — hospitals, schools, local governments, and businesses of every size. When these attacks happen, systems go offline, files get encrypted, and panic sets in. But what’s often not visible to the public is what happens behind the scenes — the negotiation between the victim and the attacker. These conversations can be cold, scripted, and full of pressure. They show how attackers try to control not just your data, but your decisions.

One transcript from a real ransomware attack by the Akira group gives us a rare look inside one of these negotiations. It wasn’t long, but it revealed how attackers try to control the conversation from the start — and how things can go sideways fast.

The victim seemed unsure what was happening and questioned who they were talking to. At one point, they realized messages were appearing in the chat that they hadn’t written. This raised a serious concern: was someone else in the chat pretending to be them? Was their system still under attack, or had the attackers shared access with others? That confusion made the situation worse, and it gave the attackers an opportunity to push the negotiation in their favor.

Here’s a breakdown of what happened.

The First Message: Pressure and Control

The attackers started with a message designed to take control of the situation. They opened with:

Attacker: "Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network."

Then they made their pitch:

Attacker: "For now you have to know that dealing with us is the best possible way to settle this quick and cheap."

Right away, they pushed for authority:

Attacker: "Do you have a permission to conduct a negotiation on behalf of your organization?"

They also shared a threat, linking to a page that listed the victim’s company name:

Attacker: "If you want this post deleted, we must come to an agreement."

This approach is typical. Attackers want to force urgency and lock the victim into a specific communication flow — one that the attackers fully control.

Confusion on the Victim's Side

The victim was caught off guard and responded with confusion:

Victim: "Hello. What exactly is this? What is going on?"

And:

Victim: "And who are you?"

The attackers repeated their opening message. But things got stranger when the victim noticed something wrong:

Victim: "I never wrote you these things above. Did I log in to the right place???"

It seemed like someone else was in the same chat. The victim asked:

Victim: "Are other people have access to this platform under our password??"

This moment shows just how chaotic these situations can be. The victim started questioning their own systems and whether the attackers had broader access than they realized.

Trying to gain control, the victim made it clear:

Victim: "Of course I am authorized to talk to you on behalf of my organization. The problem is that it seems that someone who is NOT authorized to talk to you has access to this chatroom."

The conversation was already breaking down. The attacker’s strategy of forcing a tight script was being disrupted, and the victim’s fear of internal compromise only made it worse.

The Exit: Moving to a New Chat

The attackers responded by trying to reset the situation:

Attacker: "We have just sent a code for a new chat to your leadership by email. Please check and contact us asap in the new chat. We are waiting."

This is important. The attackers didn’t want to deal with confusion or risk someone leaking parts of the chat. They likely wanted to ensure they were speaking to someone with real authority — and without the back-and-forth mess.

Takeaways

  1. Attackers set the tone quickly. They push for control early. They direct the flow and repeat key lines to keep pressure on the victim.
  2. Victims are often unprepared. Confusion over who is speaking, what’s been said, and who has access can make everything worse. This can also delay response time and decision-making.
  3. Attackers only want real decision-makers. If someone can’t pay or approve a deal, they won’t waste time. That’s why they often ask upfront about negotiation authority.
  4. Controlling communication is part of the attack. Moving to a new chatroom gave the attackers a chance to regain control and possibly prevent further confusion.

Final Thoughts

This negotiation transcript shows how a ransomware event can quickly shift from a technical problem to a human one. The attackers know how to apply pressure, create urgency, and control the flow of information. They count on confusion, fear, and a lack of preparation.

For the victim, things unravel fast. It’s not just about encrypted files anymore. Now it's about trust — who has access to what, who’s authorized to talk, and whether their own tools and systems can be trusted at all. Missteps in communication can make a bad situation worse.

In short, ransomware isn't just about technology. It's about people, decisions, and clear thinking under pressure. Being ready means fewer surprises and a better chance to contain the damage.

Full Transcript

FULL TRANSCRIPT:

Attacker: Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get your reply you will be provided with all the details.

Attacker: Are you going to work with us.

Attacker: You can find your company name in our news column: https://akiral2iz6a7qgd3ayp3l6[REDACTED]36bad.onion 

If you want this post deleted, we must come to an agreement.

Victim: Hello. What exactly is this? What is going on?

Victim: And who are you?

Attacker: Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.  Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

Victim: I need my files and pictures back

Victim: Hello?

Victim: What is going on. I never wrote you these things above. Did I log in tot he right place???

Attacker: Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.

Victim: How do i get my files back?

Victim: Of course I am authorized to talk toy you on behalf of my organization. The problem is that it seems that someone who is NOT autorized to talk to you has access to this chatroom, because I did not write "How do I get my files back" above.

Victim: Are other people have access to this platform under our password??

Attacker: We have just sent a code for a new chat to your leadership by email. Please check and contact us asap in the new chat. We are waiting.

Sign up for more like this.

Enter your email
Subscribe