Ransomware negotiation(s) with
akira
Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization?
Ok, thank you. I will get back shortly with more information.
We have to inform you that we are experiencing technical issues at the moment. All the details will be provided on Monday the latest. Our deepest apologies. Meanwhile, to prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
ok , will get those files for you. what is the amount you are asking?
This is the list of files of [redacted] company. We are working on transporting files of the rest companies and will provide you with the lists for them soon. We're willing to set a $2,000,000 price for all the services we offer.
hi, when can we expect to receive the additional lists?
[redacted]_full_listing.rar // 1.46 MB
This is everything we hold.
Given the fact that we hold data of two more companies, we've reconsidered the price for the full deal - $2,400,000. Let us know whether you are interested in a test decryption or files for proof. In case of quick payment we can make a discount.
pulling down the listings now. appreciate your patience.
Let us know if you are interested in a test decryption and proof files. Waiting for your answer tomorrow.
ok, we are working on your requests. Please allow us sometime to review the file listing and send requested files.
Please keep in mind that tight cooperation with us often leads to a more positive end of a deal.
We are waiting for your decision today.
We are looking through all the file listings you gave us. We will get you some files soon. appreciate your patience.
Do not forget about files for the test decryption, if you need it.
Definitely apprecaite your patience. My team is highly stressed due to the incident, and are working to get you the files as soon as possible.
Speed things up on your part and nothing bad will happen.
ok noted, will make sure pass this information along to my boss.
If we don't get your decision within next 24 hours, we will be forced to announce your corporate data leak on our blog.
[redacted].edi.[redacted] // 793 Bytes
[redacted].edi.[redacted] // 1.42 KB
[redacted].edi.[redacted] // 23.4 KB
[redacted].csv.[redacted] // 74.8 KB
[redacted].csv.[redacted] // 1.1 KB
Definitely appreciate your patience and working with us. We have almost completed going through the file listing and will provide you files soon. While we finish that, can you please decrypt these files.
Yes, I've passed the files to my tech dept. Please wait.
Here they are. Please check.
thanks, pulling these down for review. will provide an update when we can.
We have to close the deal this week. Are you in time?
We are working as fast as we can. we really appreciate your patience with us during all of this. After reviewing the file listings can you provide the following files please.
Backlog detail 2021.xlsx, [redacted] Rate 10.24-10.28.22.xlsx, Keywords.xlsx, [redacted] Inspection Log 2023.xlsx, img20230508_[redacted].pdf, [redacted] Tax Codes.pdf, Interest Payment [redacted].pdf, Sales Service Agreement.docx, Annual Refiling Survey [redacted].pdf, [redacted] - Aug Insurance Exp [redacted].xls, [redacted] - Accrue Deprec for [redacted].xls, [redacted] - Clear Obsolete Inventory [redacted].xls, [redacted] - Loss on Sale & Liquidation of Assets [redacted].xls, [redacted].xls, [redacted].PDF, [redacted] Tests.xlsx, [redacted].PDF, [redacted].PDF
Too many files but ok. We will provide shortly. Meanwhile, how's it going with fund gathering?
[redacted].rar // 3.12 MB
You can review the files.
When reviewing the decrypted files you sent back, we noticed that 2 of them are not what we expected to see as they came back with some empty fields. Can you please decrypt the attached files again and send it back to us so we are able to confirm the decryptability. Appreciate you working with us.
[redacted].csv.[redacted] // 74.8 KB
[redacted].csv.[redacted] // 1.1 KB
We will check but we actually have some doubts that they are corrupted. If it is an attempt to win more time, nothing good will happen. Please wait.
The files are ok. In 24 hours we will announce your corporate data leak on your blog. Early next week your data will be published. Thank you.
We are not stalling for time, we are wanting to make sure that the decryption process brings back the data in its entirety. The 2 files we are asking about it appears that it dropped fields off at the end of the files.
I'll ask to double check but bear in mind that we are posting you in our blog tomorrow if there is no payment decision from you.
We had very good backups and only about 1/4 of our data is encrypted now. We have approval to pay you $800k tomorrow for decryptors, proof of data deletion, and security audit report. Leaking our name will make our ability to pay much harder. Please accept so we can put this behind us.
We appreciate this offer but all we can do is to give you 20% discount in such circumstances.
I have very good news. I was talking to the upper management and they are willing to accept $1,4M today for all the outlined options. On Monday we will have to return to our previous demand. Do we have a deal now?
So, I passed your request regarding those files to the tech department. After decryption these same files were increased in size and then re-encrypted. After decryption, the files remained the same size, which means that our decryptor absolutely works correctly. It also means that you tried to play unfairly and gain more time. We also doubt your stories about "good backups".
Based on all of the above, our offer of $1.4 million when paid today still stands, but we will not accept anything below $2 million on Monday. If you refuse and break the deal, we will simply publish your stuff and forget about you.
Thank you so much for working with us. In good faith we are going to reveal to you that we only have $1,000,000 to work with. We can pay you all of that today. To get any more will be very hard and take many more days. Please accept $1 million and we will get that to you today
Ok, the leadership has approved that number. Here is a BTC wallet ID for payment: [redacted]
How soon are you able to make a transfer?
We are wiring the money to a broker now. They say a couple hours
To confirm we pay you $1,000,000, and you will deliver whole network decryptors for linux, and windows, promise to not publish or sell our data, provide proof of deletion, and a security audit report?
and guarantees not to attack us in the future
thank you. sending bitcoin shortly
We just sent a test transaction. Please verify and we will send the rest
Test transaction confirmed on blockchain. Please verify
We will be back in east coast usa morning to send you the rest
Hello. We have received 0.0001 BTC.
Thank you. Are you ready to receive the rest?
Coin sent. Txid: [redacted]
We have received, thank you. Please wait for the decryptor first.
We will provide everything within 24 hours. Thank you for your patience.
Thank you for update. We will continue to nervously wait
Just checking. Please provide what you promised soon
decrypt.exe
Name:
decrypt
Usage:
cli args
Flags:
--path : Start path
--secret : Private key
--logs : Print logs. Valid values for: trace, debug, error, info, warn. Default: off
-h, --help : Show help
-----------------------------------------------------------
Build information:
Version: 2023.9.5
SECRET KEY: "[redacted]"
-----------------------------------------------------------
decrypt.exe --path --secret : Private key --logs
----
decrypt.exe --path C:\ --secret [redacted] --logs trace
decrypt.exe --secret [redacted] --logs trace
thank you we are working on this now. can you provide a security report or how you got in and what we need to do better?
Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate:
1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc.
We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security. The evidence of data removal will be provided soon.
Thank you. We wait for proof of deletion.
[redacted] dellogs.rar // 524 KB
There are three files in the archive.
This information is provided by Valéry Marchive
