Ransomware negotiation(s) with
akira
Hello, our servers have been locked down and we would kindly ask that you unlock us. We're a small family business and rely on our computers. Thank you.
Hello. You've reached an Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. We will reach out to you soon.
Do you have a permission to conduct a negotiation on behalf of your organization? Once we get a response you will be provided with all the details.
Can you tell us what do you expect for unlocking us? We need our servers back. Thank you.
[redacted]_lisling.txt // 2.22 MB
These files were taken from your network prior to encryption. You can pick 2-3 random files from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files to our chat and we will upload decrypted copies back.
We're looking through your financial papers to come up with a reasonable demand to you. We offer: 1) full decryption assistance;
2) evidence of data removal;
3) security report on vulnerabilities we found;
4) guarantees not to publish or sell your data;
5) guarantees not to attack you in the future.
Let me know whether you're interested in a whole deal or in parts. This will affect the final price.
We're interested to see the pricing 1,2,3,4,5 to understand.
The full package will cost you $180,000 where the full decryption assistance is $100,000, the evidence of data removal is $70,000 and the report is $10,000. All the guarantees are coming as a default.
We beg for lower price. This is huge amount for our company. Can we please get price of several 10k? This is really huge. I beg you on behalf of myself, my family and our employees.
Are you interested in the full package, right? If you're able to arrange payment within next 2-3 days, we will consider a discount but it won't be more than 20%.
We could pay in 2-3 days 40.000 USD for decryption and I would ask that you do not attack us again and remove data.
$140,000 and you will receive all of our services.
I ask you to support us. We are people as you are.
This is how much we can give now for decryption, that we can recover data and then we negotiate further.
I understand the situation you're in. I don't make decisions here, I'm just a mediator. So, please manage to gather more funds and my bosses will be able to help. We have our internal policy and we can't accept such small amounts. Thank you for understanding.
Raise your amount up to 6 figures and we will shake hands.
I would kindly ask for your answer on our last request.
$120,000 and we will shake hands.
We can pay 70k maximum. Please, we are a small business, which has to fight everyday for every penny. For us this is shock. Please spare us. Let's find agreement in this reasonable amount.
We highly appreciate your willingness to work with us and see how you value your business but we cannot accept this amount. We've had a meeting as result of which the upper management has decided to take another step towards you and come down to $105,000. Let's just split that difference between you and us and get this over. Once you confirm the sum I will drop off our wallet and we will start preparing all the deliverables.
Hello, we accept 105.000 USD. How do we know we will recieve full package and trust thigs will be settled and we will not be attacked again? Will we recieve full package? How do we pay?
That's good. After we receive the transfer we will provide you with the decryption tool and the rest including our guarantees not to attack you again. You will be provided with our BTC wallet id soon.
Here is the BTC wallet [redacted] Let me know when can we expect the transfer.
I assume this is Bitcoin payment. We don't have Bitcoint account in our company and I am also not using it personally. I have started the procedure of opening account personnally becuase it is much faster than opening for company. I still need to transfer the money from company to my personal account, then to Bitstamp, then to yoiur wallet. I am now waiting from the bank if they can send me money on my personal account as our payment system is encrypted. Then I hope that Bitstamp will proceed fast and that we settle all this today. How long it will last that we get all above after you recieve payment? Thank you.
We would like to be sure that decryption is working. Please can you send us files /home/[redacted].pdf /home/[redacted].pdf /home/[redacted].pdf
Also we would like to be sure that decryption key is working. You encrypted our virtual environment so we dont have access to files only vmdk files. Can we upload vmdk file?
You will receive all the decryptors immediately after payment. Please upload vmdk file. We will provide you with requested files soon as well.
Hello, I am waiting for the money to land on Bitstamp, then I will first transfer 0.01 BTC for you to confirm me that you have recieved. Then the rest (and after test on above files)..
[redacted].vmx.akira // 4.6 KB
[redacted].log.akira // 1.86 MB
vmdk is not possible to upload it's 16 GB
We will decrypt the uploaded file. Please wait.
Hello, when can we expect decrypted files?
We have now transferred our funds to Bitstamp, however they have blocked us due to new account and unusualy high amount and the case is opened there, that we will be able to make payment.
[redacted] - Bitstamp.pdf // 44.3 KB
Hello, we would really ask for soonest resolvment. Please.
Hello. Please be patient with us. We will provide everything shortly.
[redacted].log // 1.86 MB
[redacted].vmx // 4.09 KB
I have opened personal account on Bitstamp and put on the account 105.000 USD. I am now in compliance procedure on Bitstamp due to high transaction amount and we are pushing on them to release the security limits, that we can transfer funds. We will inform you immediatelly.
How's your progress with payment?
I have opened personal account on Bitstamp and put on the account 105.000 USD. I am now in compliance procedure on Bitstamp due to high transaction amount and we are pushing on them to release the compliance limits, that we can transfer funds. We will inform you immediatelly.
[redacted] - Bitstamp.pdf // 44.3 KB
in pdf printscreen from Bitstamp. I hope they solve this asap, that we send payment.
Thank you. Keep us updated please.
I have just got information from some people in slovenian Bitstamp that we can expect answer from compliance department tomorrow.
Good morning. I still wait for Bitstamp to open my account for buy BTC and transfer it ...
Hello, I am unfortunatelly still waiting for Bitstamp to release my trading despite many urgencies. Printscreen in attachement.
Status at Bitstamp.jpg // 85.6 KB
You need to assure them that you use your funds in investment purposes.
Hello, we didn't recieve any response from Bitstamp yet and as I understand my Bitstamp account is under red flag as I put in so big amount of money. We are desparate and our business has started to seriously suffer and orders are being canceled as we can't operate :(. Can you please decrypt us? We will pay anyhow. Can you help us how to pay?
We can't provide anything before payment. I will learn how we can help.
What has Bitstamp support responded?
Could you please give us more details?
They have responded only that they are processing and phone support is saying that it is in compliance department and has been escalated to higher level. We have contacted some people from Bitstamp here in Slovenia to help us accelerate the process there. Hope to get answer asap. I have today opened account also on other exchange and I will try to proceed also there (Swissborg) if Bitstamp doesn't work. Can you help me what are other options?
Status Bitstamp [redacted].jpg // 101 KB
To gain bitcoins you need to go to any exchange platform as binance or coinbase. Here are the guides: https://www.coinbase.com/how-to-buy/bitcoin
https://www.binance.com/en/how-to-buy/bitcoin You also can buy bitcoin from any local brokers. If you withdraw funds from your bank account, then you have to inform the bank that you need this money for investment purposes only. Additionally, maybe this title will help: https://www.csoonline.com/article/570047/how-to-buy-bitcoin-for-ransomware-payment-if-you-must.html
Thanks for that info. We have done exactly that with second account on [redacted]. For investment purposes only. I will read your link and I sincerely hope that tomorrow this will be settled.
Good morning. Just update. Payment went this morning from my bank to Swissborg. I will keep you informed during day on progress.
Hello. I am providing latest update. Today at 8:45 AM I have paid money to [redacted] bank account in Malta and now I am still waiting that their system processes the payment and that this payment will be shown in my [redacted] app on the phone. They say that it takes 1 to 3 days. Since I have paid by SEPA payment I assume that the money should be visible in the app if not today, latest on Monday. I have checked in advance compliance procedure on [redacted] and I have all documents for compliance ready, so I don't expect any problems with compliance and I will then buy Bitcoins and transfer them to your wallet. Thank you for patience.
If you need some information for proof of above happening let me know. Bitstamp has stolen us two days.
Thank you for update. We're standing by.
Good morning. I am waiting that money comes on crypto account...
Morning. We're waiting too.
Hello. I am desparate to write, I still haven't succedeed to transfer money from my bank account to my [redacted] account. I have sent money on Friday at 8:45 trough [redacted] bank in Slovenia and they sent me confirmation on Friday. Today they have called me that their [redacted] mother bank couldn't send the money to [redacted] account on Malta. I went today at 15:30 in person to [redacted] bank here in Slovenia and they told have made SEPA payment, so I expect that I will have money on [redacted] account tomorrow. I am totally frustrated, because of this, but I can't help. I believ e that money will arrive to this [redacted] account and that I will buy and forward BTC's tomorrow. We really need unlocking here. People inthe company have become totally depressed and me too. We will solve this payment and then really ask for decryting to be made available urgently that we can start decripting immediatelly. Thank you very much in advance.
You will get the decryptors immediately after payment.
Morning. I see money went from my [redacted] bank this morning. Now I wait for it to pop up in my [redacted] app... Keep you informed.
Hello, I have just tested BTC withdrawal for 0,008 BTC from my [redacted] account how it works. Could you please check if you've recieved. On [redacted] I have otherwise only 11.000 EUR monthly limit, so I will still have to wait for [redacted].
Haven't received anything yet.
It took some time. Now I see on blockchain.com that there is 0.008 BTC in above specified wallet [redacted]. Can you recheck?
Can you please check and confirm that you have recieved 0.008 BTC ?
Thank you. I am doing everything that you will recieve difference to 105.000 USD within next two hours and will keep you updated. I would really kindly ask that we get this decryptors then as soon as possible that we can start decrypting today. Thank you.
Hello, my contact is in GMT+9hrs time, so I wait that he wakes up and transfers. I will be online again around midnight CET time.
Banks are taking too much time.
Hello, just to inform that payment of [redacted] btc has been initiated.
Enclosed you find transaction link
https://blockstream.info/tx/[redacted]
I would now kindly ask that you provide us as discussed full package: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future.
We will learn from this...
unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
same arguments works with esxi decryptor
Hello, thank you for unlocker. Can we please get instructions how to unlock Vmware platform?
There is a different unlocker for each system.
If it's ESXi - you should use the decryptor for linux.
If we're talking about Windows, you should use the .exe unlocker.
unlocker.exe -p="path_to_unlock"
unlocker.exe -s="C:\paths.txt"
where "paths.txt" is a list of paths for the decryptor, each path on a new line
same arguments works with esxi decryptor
Hello, when can we expected of delivary 2) evidence of data removal; 3) security report on vulnerabilities we found;
I will provide in an hour.
[redacted]_dellog.txt // 2.54 MB
Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password. Spending weeks inside of your network we've managed to detect some fails we highly recommend to eliminate:
1. None of your employees should open suspicious emails, suspicious links or download any files, much less run them on their computer.
2. Use strong passwords, change them as often as possible (1-2 times per month at least). Passwords should not match or be repeated on different resources.
3. Install 2FA wherever possible.
4. Use the latest versions of operating systems, as they are less vulnerable to attacks.
5. Update all software versions.
6. Use antivirus solutions and traffic monitoring tools.
7. Create a jump host for your VPN. Use unique credentials on it that differ from domain one.
8. Use backup software with cloud storage which supports a token key.
9. Instruct your employees as often as possible about online safety precautions. The most vulnerable point is the human factor and the irresponsibility of your employees, system administrators, etc.
We guarantee that we will not sell or publish your data, keep this conversation private, and delete this chat later. We won't come back for more money after payment and we won't attack you again.
We wish you safety, calmness and lots of benefits in the future. Thank you for working with us and your careful attitude to your security.
Is it possible to share what means initial access? Which username (I assume also password) was available on dark web?
At least info on username and if password was also available? Thank you.
It was VPN credentials. We get access from different people on the darknet, this information is not in public domain. We recommend that you change your VPN credentials and reconsider your password policy - there is nothing to worry about anymore.
This information is provided by Valéry Marchive
