Ransomware negotiation(s) with
akira
Hello. You've reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon. Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
Yes, I am authorized to speak with you on behalf of our organization. Why would you do this to us? We are a non-profit organization who offers free services for poor and homeless women. This is a terrible thing that has happened to us and you are hurting these women the most by this action. We desperately ask you reconsider what you have done and let us get our operations back to normal as quickly as possible. These people need our help and we need yours to get back to normal. We beg of you to do the right thing here.
So, let's do the right thing here settle this quickly and the people you care of will continue getting help.
These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
So what is it you want from us if you don't care to help reverse what you have done?
We're looking through your files to calculate a fair demand to you. I will let you know the sum shortly. We offer:
1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
We need everything back to normal
We are a non-profit. We don't have much money.
We won't ask much money. We will ask what you can afford.
So, we've gone through your files to define your financial abilities. We've been looking through your bank statements, net income, cyber liability limits, financial audits - all the info that might help us calculate our demand to you. We're willing to set a $250,000 price for ALL the services we offer.
Don't let the financials confuse you. We are a non-profit, meaning all of our funds coming in is not income. It is spent on the free services we provide to more than [redacted],000 women every year. Food, housing, counseling, and many other services to help these women survive. We do all of this for free and all of the money we use for this is donated to us. If we give you that kind of money then it means there are many people that we can’t help. That means people that can’t eat or have a place to sleep. Please consider being more reasonable and think about if one of these women was someone you care about. Someone you love. You have to have some sense of humanity inside you to do the proper thing here.
We are not really confused by your financials. If you care of people and are responsible for them you should protect them. If you take a look at the list we gave you, you would see what kind of information we obtained about the people your are in charge of. How did it happen? They were not protected enough and their documents were stolen. Imagine that docs was someone's you really care about. But as you have a cyber insurance, you can prevent the leak. So do this. Let me know if you are interested in proofs or a test decryption so we can speed everything up. If you act quick, we can give you a 20% discount.
Please show these 3 files
Do you want to check our decryption tool?
yes we want to check, but need to access the files. We don't have them yet
When can we expect the files approximately?
[redacted].vbm.akira // 797 KB
[redacted].vbm.akira // 515 KB
[redacted].vbm.akira // 844 KB
Please show us you can unlock these
We will upload them decrypted soon.
You can review the files.
We are going to have to find where we can raise the funds to pay for this. As a homeless shelter all of our money is donations and we don't have this much money so we are going to see what we can come up with. We can get back to you on Monday so that we can hopefully make a deal.
We just checked these files and there are no changes. They are still encrypted.
We will review and get back to you.
We will wait until Monday for your offer. Have a good weekends.
As mentioned, it is very difficult for us to have much money. What we are able to offer you at this time is only $50,000. Please understand that as a homeless shelter this is 200 times more money than we started off with as an organization. We rely on this money to serve the homeless community and we still hope and pray you will take pity on us, and offer to get us back for free. If you can find the good will within yourselves that is.
We can't accept this modest amount for sure. You had to to start with 6 figure sums at least.
What are we supposed to do if we don't have that kind of money? We are a charity! Why can't you help us out? We're trying to give you something here. We're doing what we can.
Is there something you can do for us so we can pay you an amount that you can accept? This is our operational funds we have to use. That means degredation of our services to the people we are helping.
We're well aware of you're a charity. We also know that you have enough funds to cover our initial demand. Anyway, the leadership has approved $190,000 amount. The best option for you to get back on track and continue to help people.
I thank you for working with us. This is greatly appreciated. However, I don't know how to make you understand WE DON'T actually have the funds to cover the initial amount, and to be frank even this amount. This would break us and we would have to shut down. We wouldn't be able to help anyone then. The homeless shelters we have operated for over 50 years would have to shut down. The cold weather is quickly approaching and that would mean thousands of women we wouldn’t be able to house who will face even more challenges than they already have. In that case it wouldn’t make sense to pay you if it means maintaining our survival. I will go back and see what we can do, but we ask you to please do the same. Please visit our website and see our mission and the people who are depending on us. [redacted]. Let’s work together on a solution where we all get what we want. I’ll get back to you after I see what we can do more.
Because of all the expenses from this incident and what we have to pay to recover we don't have the operational funds on our own to cover everything plus pay you. Luckily I have found someone gracious enough to donate some money to us. The additiional amount we can secure will bring us up to $75,000. Please tell us you will accept this because otherwise we won't have any options left.
Thank you for the update. We see that you want to resolve the incident with us, so we can come down with the price and accept $170,000. We can wait a bit for a better offer from you. May be there will be another donation that will allow you to finish our deal.
Can I speak with your boss or someone else higher? Because I don't think you understand. If we can't work out a deal then you are going to get nothing. I don't know how we can get more to give you.
I'm having a nervous breakdown here worried sick about our organization. Please answer me. We really need to figure out a solution to this problem. We don't have that kind of money.
My team is pretty aware of the situation. It was confirmed to me that we cannot accept any sum less that 6 numbers from you. We'd like to finish this quick but there are rules.
Well, we've discussed the case internally. Taking into account your financial situation my leadership decided to move towards you and receive $135,000 for closing the case.
I wish we had that much to give you so we can finish this process. Unfortunately we do not have that. After moving some things around on our side and making additional cuts, I can offer you $88,500 and then we can be done. That's the best I'm able to do during this difficult time for us.
I'm hoping this is close enough to 6 figures for you to consider.
We see that we are close to the resolving as never before. So we're ready to accept $100,000 within the next 24 hours. So there is an extra discount from us and you have time to gather the sum. I suppose that is the best finish for both sides at this moment. You can fund this BTC wallet when you are ready [redacted]
I will see what I can do to get there. I'll let you know. Thanks.
Just so I'm clear, all of these things you said you would give are still applicable? "1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future."
Okay thanks. I'll be in touch.
Okay, we have figured out the funding and can pay you $100,000. We will work on getting this to you today. I will let you know more on timing as it gets closer.
We are ready. The address [redacted] is correct?
Yes, the address [redacted]
Thanks. Stand by for payment
please confirm you received it
We confirm the receipt. Please wait.
How long do you think it will take?
decryptors.zip // 3.04 MB
unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
same arguments work with the esxi decryptor
Thank you. Please provide proof of data removal and the security report on vulnerabilities you found
Please wait for the rest items within 24 hours.
Deletion [redacted].txt // 2.05 MB
Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate: 1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc. We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.
This information is provided by Valéry Marchive & Julien Mousqueton