Ransomware negotiation(s) with
avos
As you are an enterprise client of ours, we will provide you with customer support throughout the process. You may use this chat to get in contact with us.
hello! you encrypted our files. I do not have any image files that are encrypted how can I upload a different file type? can you also tell me what files you take? can I see some samples and a list?
Fri, 03 Sep 2021 00:30:38 GMT
I'll ask all that to the affiliate in question.
Fri, 03 Sep 2021 00:31:11 GMT
Are we still connected?
Fri, 03 Sep 2021 00:32:38 GMT
can you increase our clock? as long as we are discussing. The clock will run out on the weekend and even if we agree, we cannot do anything on weekend because all bank are closed. this is a long weekend labor day in both usa and canada so no banks until tuesday next week. appreciate you working with us to reach agreement.
Fri, 03 Sep 2021 00:33:06 GMT
the site seems to disconnect me
Fri, 03 Sep 2021 00:33:21 GMT
Disconnect you how?
Yeah, I'll set your deadline on Friday next week.
Fri, 03 Sep 2021 00:34:25 GMT
I tried to enter another message and it did not work I had to reload the whole page
Fri, 03 Sep 2021 00:34:51 GMT
Just give it a couple seconds, the website can be slow at times
Fri, 03 Sep 2021 00:36:06 GMT
I can't reach the affiliate responsible for the attack at the moment. I did tell him to provide you with a sample or list of the files exfiltrated. They'll reply here when they're back.
Fri, 03 Sep 2021 00:37:02 GMT
ok friend I will come back tomorrow very late here too
Fri, 03 Sep 2021 00:37:52 GMT
please update the time because no way we can hit the deadline thank you
Fri, 03 Sep 2021 00:38:15 GMT
Sure, good night.
Fri, 03 Sep 2021 00:38:15 GMT
Yeah don't worry about that, your new deadline's set at Friday next week
Fri, 03 Sep 2021 00:38:39 GMT
appreciated. I will remain connected but may not reply.
Fri, 03 Sep 2021 00:39:08 GMT
I can't contact the affiliate in question. They seem to be unavailable at the time. I won't be able to provide you information on the data taken.
I, however, can provide you the decryption keys if you do pay for it.
Fri, 03 Sep 2021 12:45:37 GMT
Hi I tried to upload an image and I am not seeing success in decryption.
Fri, 03 Sep 2021 15:16:40 GMT
I cannot find image and less than 1mb to test decrypt. what to do?
Fri, 03 Sep 2021 15:17:26 GMT
Are the extensions appended to the encrypted files ".avos2"?
Fri, 03 Sep 2021 15:17:40 GMT
yes
Fri, 03 Sep 2021 15:18:03 GMT
actually the file is only 111kb
Fri, 03 Sep 2021 15:18:14 GMT
is there email I can send it to?
Fri, 03 Sep 2021 15:18:39 GMT
Avos2 came out recently and we can't provide test decryptions on our website for it at the moment.
Fri, 03 Sep 2021 15:18:49 GMT
ok so what do we do here? you cannot contact affiliate, you cannot decrypt the files. What are we doing?
Fri, 03 Sep 2021 15:19:32 GMT
You can create an archive with couple files and upload them to https://share.riseup.net.
Fri, 03 Sep 2021 15:19:37 GMT
ok please wait
Fri, 03 Sep 2021 15:20:47 GMT
Then I can manually decrypt the files for you.
We can decrypt .avos2, however the website can't at the moment.
Fri, 03 Sep 2021 15:20:52 GMT
This is because both the encryption/decryption are first built and tested in Windows, THEN this encryption algorithm is ported to our web services.
Fri, 03 Sep 2021 15:21:57 GMT
https://share.riseup.net./[redacted]
Fri, 03 Sep 2021 15:23:20 GMT
can you confirm it works?
Fri, 03 Sep 2021 15:23:38 GMT
You are supposed to copy the URL in your browser instead of copying the link from the download button.
Fri, 03 Sep 2021 15:24:05 GMT
Hello? The link doesn't work
Fri, 03 Sep 2021 15:37:01 GMT
ok
Sat, 04 Sep 2021 00:36:24 GMT
did you find the affiliate?
Sat, 04 Sep 2021 00:36:39 GMT
https://share.riseup.net./#[redacted]
Sat, 04 Sep 2021 00:37:20 GMT
Your link doesn't work, again.
Sat, 04 Sep 2021 09:53:46 GMT
Please test and verify that it works BEFORE sending it to me.
Sat, 04 Sep 2021 09:54:08 GMT
https://anonfiles.com/
Sat, 04 Sep 2021 09:54:28 GMT
https://gofile.io/d/[redacted]
Sat, 04 Sep 2021 18:01:11 GMT
Please upload it to one of the websites I've told you to. We can't download from Gofile.
Sat, 04 Sep 2021 18:09:27 GMT
https://anonfiles.com/[redacted]/AVOSLOCKER_-_Sep2021_7z
Sun, 05 Sep 2021 16:58:31 GMT
We've downloaded the data. Please allow us some time to process it
Mon, 06 Sep 2021 14:15:08 GMT
I decrypted the PNG files. https://share.riseup.net/#[redacted]
Mon, 06 Sep 2021 14:30:44 GMT
Hello. We think it's time to finalize your negotiations. Please let us know how do you wish to proceed with payment.
Tue, 07 Sep 2021 08:44:55 GMT
I would like to see what files you took
Tue, 07 Sep 2021 13:02:11 GMT
You can see the files in few days if we have to publish samples on the blog. We will not provide anything else at this stage.
Tue, 07 Sep 2021 13:25:04 GMT
well, if you prefer to simply be aggressive we would never be able to reach a level of trust. You are asking for a lot of money, we need to assess what data you took. Show me some list or indication that I can take to management. goodwill will go a long way.
Tue, 07 Sep 2021 13:30:37 GMT
if you publish we will disconnect and put the money to protect any individuals with credit monitoring. I think working together is preferred.
Tue, 07 Sep 2021 13:31:16 GMT
As staff, we can guarantee that whatever data the affiliate has taken will be erased, and the decryption keys will be delivered.
Tue, 07 Sep 2021 13:32:08 GMT
Your new deadline, that we both agreed on, was set on the 10th, Friday. I'll leave the rest to the affiliate.
Tue, 07 Sep 2021 13:33:19 GMT
thank you Staff. But I am just the messenger. My management and board require to understand the extent of the data that was taken has this may have value that we would want to pay for you if you promise it will be erased. But we would like to get a sense of what data that is, a list would be great.
Tue, 07 Sep 2021 13:35:06 GMT
Those are our terms and we never go against them. You know better than us what data we took. We took it from the servers we encrypted. Anyways, we are away with no access to data storage, so another scenario is not possible. Staff can help to decrypt if you reach an agreement. Data will be erased when we come back.
Tue, 07 Sep 2021 13:36:12 GMT
I can confirm the data in question wasn't downloaded to our storage units but the affiliate's.
Tue, 07 Sep 2021 13:38:10 GMT
It does not give me a good sense of comfort and I need to convey the status to my management. I cannot understand what data was taken nor where it is located. If the affiliate is the only one with the data and he does not want to prove he has data, how can we possibly establish trust when you attacked us and you refuse to work with me to demonstrate your word is trustworthy. instead not only you attack but you also just threaten. It is not a good way to establish our relationship.
Tue, 07 Sep 2021 13:42:12 GMT
For now I'd suggest that perhaps your management should appraise the value of the decryption itself.
Tue, 07 Sep 2021 13:44:54 GMT
I understand. I have met with management and we are in position to offer 50k for the decryption of the files left to decrypt. We also have an issue paying in XMR as no broker I spoke to is willing to pay XMR, the best we can do is bitcoin and would need wallet.
Wed, 08 Sep 2021 02:19:31 GMT
Considering the affiliate wasn't able to provide a sample/list, I think we can settle at 150K in Bitcoin.
Wed, 08 Sep 2021 10:48:51 GMT
Hello Staff you seem like a reasonable team. We would like to come to terms, but we are small paint distributor 150k is more than our available cash. We can increase to 75K in btc by using some credit cards.
Wed, 08 Sep 2021 12:27:44 GMT
What about 100K?
Wed, 08 Sep 2021 12:28:42 GMT
one sec let me check something with accounting
Wed, 08 Sep 2021 12:39:33 GMT
I have a credit line I can increase to 85k unfortunately I cannot go any higher I am tapped on credit card and credit line at 85k
Wed, 08 Sep 2021 12:52:30 GMT
Alright that's fair I suppose. Let us know when you have the money in BTC.
Wed, 08 Sep 2021 12:53:21 GMT
I am working through a broker he said as soon as I transfer the money he can buy and send but he needs to know the address or wallet to send to?
Wed, 08 Sep 2021 12:55:40 GMT
I'll send that to you in a bit
Wed, 08 Sep 2021 13:00:37 GMT
[redacted]
Wed, 08 Sep 2021 13:01:40 GMT
Do tell your guy to make a test transfer of 10$ and get a confirmation from me before he sends the full 85K
Wed, 08 Sep 2021 13:02:19 GMT
OK, I will tell broker that. good idea
Wed, 08 Sep 2021 19:53:25 GMT
Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time
Thu, 09 Sep 2021 03:19:13 GMT
The broker also advise us to confirm all deal terms with you.
After we pay, please confirm you will:
(1.) immediately provide working decryptor software for all our systems,
(2.) provide detailed decryption process instructions and tech support if we have problems,
(3.) provide detailed proof of our downloaded data - detailed file tree(s) of all data,
(4.) provide confirmation of deletion of all our data - non-recoverable secure deletion with proof / shred log,
(5.) confirm you will never publish any of our data, or our company name,
(6.) agree to never attack us again,
(7.) explain how you got into our network, and
(8.) provide a security report so we can prevent future problems
Please confirm everything, all 8 items, thank you.
Thu, 09 Sep 2021 03:23:27 GMT
I can confirm all but the 3rd, as we don't have access to your data. However I can guarantee an erasure of your data.
Thu, 09 Sep 2021 09:28:55 GMT
Hello Staff, OK, thank you
Thu, 09 Sep 2021 13:22:07 GMT
our broker just sent the test $10, please confirm you received it.
Thu, 09 Sep 2021 13:22:25 GMT
Confirmed. You may continue with the transfer
Thu, 09 Sep 2021 13:23:41 GMT
Ihe broker said they sent the rest. Can you please confirm and provide the decryptor as soon as possible, thank you.
Thu, 09 Sep 2021 13:36:42 GMT
As soon as it confirms.
Thu, 09 Sep 2021 13:41:32 GMT
what does that mean?
Thu, 09 Sep 2021 13:43:29 GMT
Bitcoin takes some time to receive basically
Thu, 09 Sep 2021 13:44:04 GMT
ah, ok, its a bitcoin thing. Let me know when its confirmed, thanks
Thu, 09 Sep 2021 13:45:07 GMT
The payment confirmed. Thank you for your business. The affiliate should provide the security report.
Thu, 09 Sep 2021 14:54:53 GMT
Defend your credentials from mimikatz Limit administrator privileges to the smallest group possible. Even if you have thousands of user accounts, you should probably only have 2-5 administrator accounts. Start with two accounts and force users to justify any additional accounts added to the administrator group. The next thing that you should do is upgrade the schema and functional level of your forest and domain to at least 2012 R2. This domain functional level adds a fairly new group called “Protected Users”. Along with other protections, the members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. These changes provide powerful protections that make Mimikatz almost worthless. Verify KB2871997 has been installed to apply additional required security. After you install this security update, the default setting for non-protected users on Windows 7 and Windows 8 is to not force clear leaked logon session credentials.
Thu, 09 Sep 2021 15:04:38 GMT
To override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it to a recommended value of 30 seconds. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Stop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of the default value of “1” and passwords are no longer available to Mimikatz . HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz installation and activity. You’ll have to test these changes to see what breaks, but the idea is to implement some fairly basic changes to protect your network. In your specific case the critical vulnerabiliry contained Forti VPN, please update FortiVpn and monitor for updates and Windows updates. Inform your IT stuff to remove the posibility of storing user passwords within the network.
Thu, 09 Sep 2021 15:05:24 GMT
Also we recommend you to use SentinelAV and dattoo backup system. Also Veeam Tapes is good ,but pc with veeam should be in WORKGROUP and user should be different from main domain. Every PC should have AV. Don't let any pc without AV. Also try configure 2FA (at all network pc) when you connect to remote desktop. Use password on AV. Also tip for you: If you want chage Fortigate VPN to other . We dont reccomend you to use Sonic VPN,Pulse Secure, because its under massive hack
Thu, 09 Sep 2021 15:05:52 GMT
And finally, update your Exchange Server, since it was the main entry point.
Thu, 09 Sep 2021 15:06:17 GMT
As for data, we instructed an erasure and it was confirmed all your data is erased. So you are safe. Thank you for your business.
Thu, 09 Sep 2021 15:06:45 GMT
OK, thank you for all of these items and confirming deletion. I gave the decryptor package to our IT and I will reach out if we have any technical issues. Thank you.
Thu, 09 Sep 2021 15:54:18 GMT
It'd be better for your IT to reach out directly if possible if anything's to occur
Thu, 09 Sep 2021 17:56:32 GMT
This information is provided by Valéry Marchive
