Ransomware negotiation(s) with  blackbasta



Avatar

Hello, As per the file tree structure you have provided us, we would like the 3-files listed below to be decrypted (in their original format) and provided back to us as confirmation. Below are the 3 files that we require in a decrypted format as confirmation. 1. Summons_Complaint_From_[redacted].pdf 2. 3450_Disbursement_Invoice_[redacted].csv.done 3. 15-01-12 MED MAL CASES FROM [redacted].docx

20:15

Download file: [redacted].zip

21:08
Avatar
Avatar

We are a small business, we have been hit hard due to the economic downturn, and the pandemic. We can only afford to pay you $77,500 USD; this is all we have at the moment. We just don’t have that kind of money you are asking from us. We would like to settle soon, let's come to an agreement.

01:14

This is too small and not at all interesting to me. If we move so slowly, we will come to the publication of your data and the destruction of your small business. Make me a worthy offer.

03:41
Avatar
Avatar

As mentioned, we only have $77,500 USD. We are actively working with our banker to secure a loan to pay you. After speaking to senior management and our banker, we can secure an additional $47,500 USD. We are able to offer you $125,000 USD. How can we make payment? Please provide us with instructions so we can move forward quickly.

17:55

This offer is better. We also can step towards you and lower the price by 100,000. Now your price is 500,000.

17:57
Avatar

We are always ready to give some discount to an adequate people.

18:06
Avatar
Avatar

We are moving as quickly as we can and you mentioned a 20% discount earlier which is $480,000 USD. After speaking with our banker and senior management, we can pay $125,000. We are moving as fast as possible but we cannot afford to pay you the $480,000 USD that you are asking for. We can offer you $125,000 in exchange for the decryption key, proof of deletion and a security report, and we can work on a payment if you provide us with instructions.

22:28

I will repeat once again that this amount does not suit us and 20% discount we give you if you pay ASAP. You took a step and we made the discount $100k, this is significant. Now we are waiting for the best offer from you to satisfy the both sides and close the deal.

05:55
Avatar
Avatar

We have spoken with senior management and our banker and can secure a total of $175,000 USD in exchange for the decryption key, proof of deletion and a security report. As I mentioned before, we are a small business and have been hit hard by the economic downturn and the pandemic, but were able to secure loans for this amount. Today is a holiday but we are able to pay these funds quickly. We can start working on payment if you provide us with instructions.

17:16

This offer is better. However, as I said before - this is a thoroughly calculated price that includes a full list of services we mentioned before, security audit and a decryptor. We have examined your data and documentation and have no reasons to set the price higher than you can pay. If you can pay 175,000 within the holidays, I think you'll easily find 450,000.

17:22
Avatar
Avatar

Yes, we are doing our best to ensure we can settle fast in exchange for our decryption keys, proof of deletion and security report. We were able to secure $175,000 USD to pay you. My boss has agreed to contribute the cash from his personal account $41,250 USD. This will total to $216,250 USD. Let’s make this work for all of us and we can start working on payment. Please send me payment details so we can make payment as this is all new to us.

21:42

Yes, we see your steps forward and go to meet you. But our services and your data are more expensive, like your reputation. Stories of diseases of your customers, mental state, etc. - their most deep secrets. Their disclosure will bring many problems of your company. But we understand your situation and therefore make you an additional discount. Our price is $400к.

22:15
Avatar
Avatar

We are working with our banker and arranging personal contributions from individuals within the business. My boss and his partners have all contributed additional funds from their personal accounts. You need to understand that we are a small business and we do not have that kind of money to pay you. Let’s move forward and settle for $239,125 USD. We will require more time to secure a payment. We will need an extension on the timer. I am waiting for payment instructions, let’s move quickly.

18:25

We give you a last discount. Now your price is 350,000

19:51
Avatar

We won't lower the price further. It is almost 50% discount.

19:51
Avatar

Hi, any news? Timer is going, so please don't lose the time!

17:34
Avatar
Avatar

A 50% discount, approximately $300,000 USD is very helpful. My boss and his partners are able to contribute funds to the above offer and settle for $285,125 USD. This is the maximum loan; we are able to secure the bank and funds from our personal account. Also note that we are entering into a weekend, banks are closed. We will require more time to secure this amount and transfer funds to you. We will need an extension on the timer. If you agree to settle for $285,125 USD, please also confirm that you will provide us with a decryptor to unlock all systems and you will delete all files of your servers and provide a receipt of deletion? I am waiting for payment instructions, let’s move quickly.

19:13

We agree on 300,000 USD. 50% discount. We know that banks are closed on the weekend, so prolong a timer till Tuesday. BTC Wallet: [redacted] Also we confirm that after the payment you will receive a decryptor to unlock all systems and we will delete all files from our servers and provide a receipt of deletion.

19:28
Avatar
Avatar

My boss and his partners have agreed to pay $300,000 USD. Monday morning, we will be reaching out to our bank to establish our loan and get the funds. Please note these things take time and we are moving as quickly as possible. You have provided us with what seems to be a Bitcoin Wallet Address, is this correct? We are not familiar with how Bitcoin works and how to acquire bitcoins for the amount you are asking. Are you able to provide any instruction on what is the best way for us to purchase bitcoins? We are doing some research on which exchanges to use, do you have any recommendations?

00:09

Yes, we have provided the wallet address above. You can buy bitcoin on any crypto exchange, binance (https://www.binance.com) or coinbase (https://www.coinbase.com), or contact a broker in your country.

03:37
Avatar
Avatar

Not sure if you got my last message.

04:41
Avatar

My boss and his partners have agreed to pay $300,000 USD. Monday morning, we will be reaching out to our bank to establish our loan and get the funds. Please note these things take time and we are moving as quickly as possible. You have provided us with what seems to be a Bitcoin Wallet Address, is this correct? We are not familiar with how Bitcoin works and how to acquire bitcoins for the amount you are asking. Are you able to provide any instruction on what is the best way for us to purchase bitcoins? We are doing some research on which exchanges to use, do you have any recommendations?

04:41
Avatar

We are looking into binance.com and coinbase.

04:42

You are right. Please use google to check exchanges available in your location. It is a bitcoin address. Inform us when the payment will be sent.

05:49
Avatar

Hi, any success?

12:29
Avatar

We confirm the test payment 0.00005000 BTC

17:15
Avatar

Test amount received

17:23
Avatar
Avatar

Hi, I wanted to confirm if you have received test payment. https://www.blockchain.com/btc/tx/[redacted]

23:14
Avatar

0.00005000 BTC (This seems correct) ?

23:14

Yes

03:13
Avatar

Sir, 1,5 hours left. What about the main part of the payment?

21:25
Avatar
Avatar

We are preparing to transfer the payment to your wallet. Please give us more time.

21:49
Avatar

We are new to this so please be patience with us.

21:49
Avatar

Also, after receiving payment how fast would you make the decryptors for download? Also we will need a receipt of complete data deletion.

21:51

You will receive the decryptor and manual within an hour after the payment. You will receive the log of removing your data later, as it will take some time. Also we will extend the timer for you for 24 hours.

21:58
Avatar
Avatar

Payment has been made in full. Please confirm receipt?

23:01
Avatar

https://www.blockchain.com/btc/tx/[redacted]

23:01
Avatar

https://www.blockchain.com/btc/tx/[redacted]

23:01

We confirm the payment!

03:14
Avatar

Your blog was deleted.

03:14
Avatar

Now your data is wiping. The decrypt tool you will get very soon.

03:15
Avatar

Download file: [redacted].linux

06:28
Avatar

Download file: [redacted].ex

06:28
Avatar

How to decrypt linux? 1. Drop executable via ftp/sftp/wget to any folder. 2. Add rights to the new file: chmod +x ./decrypt_executable 3. Just run it: nohup ./decrypt_executable log.txt & 4. Wait until you see smth like "Done" in file "log.txt". How to decrypt windows? 1. Drop executable to any folder. 2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights) 3.1. In cmd.exe type full path to the executable file and press Enter. 3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter. OR 1. Drop file. 2. Click right mouse button on the file and press run as admin. (!) IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1. DO NOT CLOSE decryptor yourself, DO NOT INTERRUPT! 2. Yoy can decrypt only 1 folder (test decrypt for example) decrypt.exe -forcepath c:\users\1\Desktop\folder

06:29
Avatar

Download file: [redacted].zip

06:49
Avatar

This is log of deletion all your taken data. Now we have nothing.

06:50
Avatar

Security report and recommendation: Your network has been compromised by mailing of messages to the emails with malicious attachments. One of the users launched malware. To avoid this in the future, give you recommendations of network protection: 1. Use sandbox to analyze the contents of letters and their attachments. 2. Use the password security policies 3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack 4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus. 5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems. 6. Block kerberoasting attacks 7. Conduct full penetrations tests and audit 8. Use and update Anti-virus/anti-malware and malicious traffic detection software 9. Configure group policies, disable the default administrators accounts, create new accounts. 10. Backups. You must have offline backups, does not have access to the network.

06:50
Avatar
Avatar

Thank you. I will follow the instructions and get back to you if we have any questions.

15:55

Sure, we are in touch!

15:55
Avatar

This information is provided by Valéry Marchive & Julien Mousqueton