Ransomware negotiation(s) with
conti
I need to recover my files
5/12/2021, 10:13:16 PM
hello?
5/13/2021, 12:03:30 AM
hello
5/13/2021, 4:01:33 AM
Hello, please identify your company
5/13/2021, 10:43:08 AM
Well? Are you ready to negotiate or we should start notifying your staff and partners?
5/17/2021, 10:25:21 AM
What do you guys want?
5/17/2021, 10:22:55 PM
As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files (more than 500gb) that will be published in case our negotiations fail. How it happens can be seen on our website https://continews.icu
The recovery price is $950000 (21 BTC). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.
If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.
We strongly recommend to review our offer in a timely manner.
5/18/2021, 6:11:12 AM
[redacted]_30_percent_listing.rar [ 1MB ]
5/18/2021, 3:04:16 PM
What is this file? WHy is this costing 21 coins? We don't have this!!
5/20/2021, 12:23:08 AM
This file contains the 30% list of all the data we took from your network. It totally costs what we ask.
5/20/2021, 8:48:46 AM
You said earlier that you are ready to negotiate. What range will you actually negotiate to?
5/20/2021, 2:32:57 PM
We are ready to provide a 25% discount if the payment will be made by Monday.
5/20/2021, 3:47:16 PM
We don't have that type of money. Do you know what we do? Do you know how small our margins are?
5/20/2021, 6:35:14 PM
What is your offer?
5/20/2021, 10:29:18 PM
We really need to think this through. We can't sustain such a large payment. Can we let you know early next week?
5/21/2021, 3:21:03 PM
Yes, we will be waiting for your offer by Monday evening.
5/21/2021, 5:27:22 PM
Okay
5/21/2021, 10:07:57 PM
Well?
5/24/2021, 10:04:55 PM
Soon. Still ironing out a few things.
5/24/2021, 10:30:19 PM
Thanks for waiting. Given our margins and our type of business, it was difficult to come up with a large amount, but we're ready to offer you $125,000
5/25/2021, 12:20:14 AM
That is surely way lower our usual demands, but taking in consideration your type of business we are ready to go down to $580k
5/25/2021, 9:06:39 AM
We're not viewing this as a negotiation. The decrease helps but all we have is $125,000. We collect debt on behalf of other companies and this is a low margin industry. This seems like a dead end at this rate.
5/25/2021, 3:51:30 PM
Well, we are going to ruin your business if you are not ready to meet about $500k. That's the lowest our group gets. We will be waiting a reply within 24 hours. If we will not receive it - we will show you what we can do.
5/25/2021, 10:24:24 PM
We've spoken to several brokers who work with you and know you have gone below $500k before, so please reconsider my proposal. I've offered you a substantial amount of money for my industry and want to reach a compromise with you. Please let me know if you have a better rate for me
5/26/2021, 1:56:09 AM
Yes, we had such cases in a private manner, we've discussed internally and the last offer we can make is to meet inbetween at the point of 352.5k let me know if you accept. Otherwise we shall start actions.
5/26/2021, 6:59:00 AM
This is still way off our mark. What could you possibly have that is worth so much?
5/26/2021, 12:43:22 PM
Can we see some more files?
5/26/2021, 12:43:26 PM
We see you're trying to work with us which we appreciate. It just feels a little hopeless right now.
5/26/2021, 12:43:54 PM
That's as low as we can get. And it's not only about the files that we've shown. I will upload the full listing soon, but if we won't be able to reach the agreement by tomorrow - we shall start notifying your employees and partners about the breach and on how you value their data.
5/26/2021, 2:47:28 PM
Getting the full listing will help us. Can we atleast get until the end of the week to review the listing?
5/26/2021, 4:05:17 PM
[redacted]-full-listing.rar [ 3MB ]
5/26/2021, 4:38:39 PM
This contains everything that you extracted from us?
5/26/2021, 9:40:31 PM
Yes, correct.
5/27/2021, 9:14:21 AM
We should have our review done by tomorrow. Thank you.
5/27/2021, 9:40:23 PM
We are waiting for details from your side today.
5/28/2021, 4:04:29 PM
We've spoken about this. The file listing hasn't changed much because we had an idea of what was taken anyway. Money is still the biggest issue as we don't have the resources for excess payments. You're bringing us to the edge but we've gathered some more cash. $170,000 is our max.
5/28/2021, 4:54:36 PM
We are ready to accept. The wallet for the payment is : [redacted]
5/28/2021, 5:03:32 PM
We need time to move money and Monday is a bank holiday. Can we pay next week?
5/28/2021, 8:23:38 PM
And what will you provide to us after we pay $170,000?
5/28/2021, 8:23:57 PM
You will be provided with the decryption tool, data removal logs and security recommendations.
5/28/2021, 8:26:01 PM
This is a long weekend. Can we pay by the end of next week?
5/28/2021, 9:31:20 PM
Let's make it Wednesday? That's more than enough time I suppose.
5/28/2021, 10:18:25 PM
Okay, we just won't be able to move money until Tuesday, so it may be Wednesday or Thursday. I will keep you updated. I appreciate it!
5/29/2021, 2:53:23 AM
Ok, we will be waiting.
5/29/2021, 2:54:07 AM
Thank you
5/29/2021, 3:00:16 AM
We should be able to pay by tomorrow or Thursday. Thanks.
6/1/2021, 9:23:34 PM
Ok, let me know as soon as the transfer is made.
6/1/2021, 10:01:44 PM
We have the $170,000. Please confirm the address again.
6/2/2021, 8:47:04 PM
The btc wallet remains the same : [redacted]
6/2/2021, 9:56:17 PM
You should have it. Please confirm.
6/2/2021, 10:10:35 PM
Received. Will provide all the deliverables the soonest possible.
6/2/2021, 10:11:28 PM
[redacted]_decryptor.exe [ 103kB ]
6/2/2021, 11:05:25 PM
Decryptor:
1) Launch the decryptor under Administrative rights
2) Wait till the decryptor window is closed
3) if any of the files haven't changed the extension back to the original - repeat 1 and 2
6/2/2021, 11:07:27 PM
Okay thank you, please send the other deliverables when you have them
6/3/2021, 3:03:34 AM
Is it ready?
6/3/2021, 10:16:01 PM
You have been breached through the email phishing campaign. The overall security score is 2 out of 5.
Our recommendations will be :
1. Implement better email filtering policies
2. Implement tape-based backup hardware
3. Audit account access policies network wide
4. Rebuild the network using segmentation procedures
5. Implement better password policies
6. Block pass-the-hash and kerberoast attacks
7. Notify all your employees and security policies inside the company (opening email attachments, changing passwords, etc)
8. Buying better AV/EDR software
6/4/2021, 2:03:06 PM
Can you give us specific details on which account was breached? Also, how will you prove that the data has been deleted?
6/4/2021, 8:23:17 PM
Did you see the previous message?
6/8/2021, 12:36:46 PM
We will provide the data deletion log soon. Unfortunately we have no records on what account was the initially infected. Sorry.
6/8/2021, 12:40:02 PM
Please let us know when it is ready
6/9/2021, 3:19:26 PM
Can you give us an update?
6/11/2021, 12:48:36 PM
https://www.sendspace.com/file/[redacted]
https://www.sendspace.com/delete/[redacted]/[redacted]
Archive password: [redacted]
6/17/2021, 6:49:44 PM
Here's the deletion log.
6/17/2021, 6:49:52 PM
This information is provided by Valéry Marchive
