Ransomware negotiation(s) with
babuk
Hello! Technical support is ready to answer you
Hello, I'm writing on behalf of [redacted]. Is this the right place to ask for information?
Hello!
That's right, to start a dialogue, I ask you to answer 2 questions 1)
Are you a recovery company 2) Do you have insurance against ransomware
programs?
1)
I'm not part of a recovery company. We are an IT company working with
them in other fields. We just decided to give them a hand in handling
contacts with you, since they do not have the required technical
knowledge. 2) I have no information regarding that matter unfortunately,
i do not know if they have insurance or not (though I'd bet they don't)
Before
we move on to discussing the price, upload 4-5 files of encrypted files
no more than 10MB using any file exchanger, we will decrypt these files
as a test
ok,
I'll come back as soon as I have them, just need a moment to collect
them. is something like a link shared via Google drive OK for you?
Ok, write to me as you are ready to provide files
Also
send us the ecdh_pub_k.bin file from those computers from which you
will download files, this ecdh_pub_k.bin will be placed in% appdata%
ok,
I'll be back in some minutes to tell you how much time we'll have to
wait (i can't recover the data myself unfortunately)
independent attempts without our help to decrypt files may lead to their loss, I would not advise you to do this
don't worry, we know how this type of issues work, we prevented them from attempting anything rush
ok,
i should be able to recover 4-5 files and the related public key in a
couple of hours. I'll text you back then. for now, thanks for the
information
You
can find a simple archive with three files and your public key at the
following link: https://file.io/[redacted]
The content is a 7z archive password-protected. The password is "[redacted]" (without quotes)
Be careful because I fear the link will expire after one download
I downloaded your files, please wait
link will be available for 1st download https://dropmefiles.com/[redacted]
Downloaded, received and correctly visualized the plaintext, thanks for the proof of work
Can I move on to ask you about your demands?
Ok, now we can continue the dialogue
We
know that [redacted] is a large company with an annual turnover of $ [more than two dozens]
million a year, a price of $ 400,000 for a complete expansion of all
systems
I'll
refrain from reacting to it: I'll just tell you that such an amount is
simply impossible to move for an Italian company. There is no way a
company would be able to purchase that amount of coins (bitcoins or
whatever else) in a whole year. It *might* be doable if they were like
20, 30 thousands, but more than that seems totally impossible to me.
Anyway, I'll relay your demands to the company, I'll forward your feedback to you as soon as they answer me
Anyway, I'll relay your demands to the company, I'll forward your feedback to you as soon as they answer me
Thanks for your cooperation, for now
"I'll forward THEIR feedback to you" (typo)
BTW,
I'll probably be back in some hours, since it's late evening in Italy
and I don't think they'll answer me now. I'll be back as soon as
possible
We can make a
discount, but it must be reasonable, we will wait for comments from the
company and we are waiting for you in this cha
Ok, we are in touch and ready for a dialogue, and ask them about insurance
Hi
we talked with the company. For them the damage is 1 month of work of 4
people and is worth 40k because have an offline backup. For you can be
ok?
We understand
perfectly well that if you had backups, if you didn’t have a dialogue
with us, we can accept. from you 100 000 usd, it will be a big discount,
if you agree then we will move on to the deal, if you need time to
think it over, this is your time in any case you need the decryptor, not
me
they have
ready 55k usd to close the deal and for Wednesday you'll have the money
in your wallet. Can you agree with it?
We understand that the company can afford to pay 100 00, we went to you for the purchase and made a big discount
Ok, also if they have insurance, this will not incur financial losses for them at all, the insurance will pay everything
they don't have an insurance
Well then, I advise you to buy it in the future.
in italy with the italian law it's hard to cash out this amount. With difficulties we can arrive to 65k.
We had clients from italy who could easily pay 350,000, let's stop at 85k, it will be optimal for you and us!
I'm talking with them. Please 5 minutes
BTW
just genuinely asking: how did they pay you such an amount? i can't
imagine a way to move 350k from Italy in few days, it's just really
difficult unless it happens via bank wire
They
worked with the bank, we cannot tell you the company, for the reason:
they paid, we keep secret information about our clients who made the
transaction
sure,
as I said I was just asking out of curiosity. Anyway, we convinced
them to make an effort for 85k usd, since it's in the interest of their
business.
Okay, do you need instructions on how to buy bitcoin? Or will you do everything yourself?
I'll speak with them to understand how they want buy it
can you give us your instruction to pay you?
There
are bitcoin ATMs in italy, you can use it or buy bitcoins on the
exchange https://www.finder.com/it/how-to-buy-bitcoins, or find a
private bitcoin broker in italy (this is the safest option) as soon as
you are ready to transfer I will give you a wallet
ok do you know i can do with an atm and where i can find it and use it to give the money
https://coinatmradar.com/country/105/bitcoin-atm-italy/
1)
is it ok for you if they proceed via coin ATM? Do you know if they can
directly transfer funds to your wallet via the ATM, or do they need to
purchase coins and them separately transfer them?
2)
once the decryption process begins, they obviously need some form of
warranty that everything is working. As for what we could see, your
software encrypted files, destroyed filesystem shadow copies and
compromised backups. What kind of technical warranty can you provide
that everything will work smoothly even for big files (full VM disks)
and LAN backup?
and
3) given that we have an agreement, could you delete the post you
published [redacted]? this would prevent the company from having to
move on with legal procedures, which they are legally compelled to
follow if they have notice of a data breach. if you delete that post,
there will no longer be any evidence, and they will be able to avoid
this.
1) For ATM, you'd
better top up your wallet and then send us 2) File size doesn't matter,
we made all required tests before encrypt your network
3) post will be removed today
The decryptor works the same as the encryptor only in the other direction
ok thanks, we'll start with the work
During
the day, the moderator of [redacted] will delete the topic, I wrote
him a private message and also wrote in the topic, you can check it
thank you, we will get back to you soon
threads [redacted] -deleted, please cheked
Cheked, thanks! we are buying the btc. I'll ping you asap
Hello, when you will have required amount of bitcoin's write here
Okay, what date should I expect to be paid?
Any dialogues with us only in this chat, any other email and etc contacts are invalid
Hello, how your progress?
We will have a call at 2 pm to understand the progress
we can decrypt file by file too?
Unlocker decrypt full network
FYi we did a revolut account and tomorrow we will have the btc
so in the afternoom we can do it
Well,
as soon as you are ready to transfer money, write to us, you will give
you a new link to the chat, where we will conduct the transaction, it
will be better for your safety and anonymity
sorry
do you have an account revolut? because who bought the btc didn't know
that you can not move it to an external wallet ( out the revolut
platform )
No, but I do
not think that you will have any problems with the transfer, you should
be able to transfer to any bitcoin wallet
i check now, because maybe with revolut you can send only to an revolut account
You will need to somehow solve this problem, and be able to transfer to any bitcoin wallet
admin:https://www.reddit.com/r/BitcoinUK/comments/7gv9ia/revolut_will_not_allow_you_to_send_purchased/
yes we saw, we are finding a solution
please send us another link by mail
Please
give your email address in the company's domain @ [redacted].com there we
will send a new link to the chat, you will need to restart your browser
and follow the link
so we can verify that you are indeed on behalf of [redacted] and the correspondence is confidential
This information is provided by Valéry Marchive & Julien Mousqueton
