Ransomware negotiation(s) with
hive
Hello and welcome to Hive.
How may I help you?
13 November 2021 13:53
Hi, decryption key price?
13 November 2021 13:54
how many files are stolen? and can you share some file names?
13 November 2021 13:58
maybe no ones here
13 November 2021 13:59
Hello
13 November 2021 13:59
To decrypt your files you have to pay $20,000,000 in Bitcoin.
13 November 2021 14:00
thats way too much, can you please discount
And please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway
13 November 2021 14:01
We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway.
13 November 2021 14:03
If you want a discount I would like to see for how much
13 November 2021 14:04
let me talk to the management
13 November 2021 14:04
share some file names?
13 November 2021 14:05
I'll share with you later when my teammate will be online.
13 November 2021 14:05
ok
when should I log back in?
13 November 2021 14:05
I don't know. Maybe today
13 November 2021 14:06
ok
13 November 2021 14:06
please ask him/her to share the file names so I can have them when I login, its not easy to use TOR here
13 November 2021 14:07
Okay, I'll do my best
13 November 2021 14:07
thanks
13 November 2021 14:08
I have uploaded the list of exfiltrated files.
13 November 2021 16:16
where?
I cant see them
13 November 2021 18:10
is it like 100G?
13 November 2021 18:14
It's at the left panel titled Uploaded files
13 November 2021 19:07
I uploaded a list of files not the files themselves
13 November 2021 19:27
yes got it, thanks
14 November 2021 04:38
you can delete it now
14 November 2021 04:38
Can you please share the hash of the ransomware. SO we can just add it to black list and ask the management for money. They are scared that the payload will come back. If you can't I understand but this will make th eprocess easy
14 November 2021 04:41
We are well-known organization. We honor our agreements. There is no point in the blacklist right now. You need to concentrate on how to collect money.
14 November 2021 04:56
I have another option for you. You will give me your email address (protonmail is preferred) and I'll send you new credentials to login. Then I'll upload the encryptor to VirusTotal and provide you a link to it. All necessary hashes will be available there.
But to prevent others to login to your customer website you have to get new credentials first.
14 November 2021 07:19
Here
[redacted]@protonmail.com
14 November 2021 08:58
just like you wanted ... protonmail
14 November 2021 08:58
please keep your word, I will login again in a bit or check my email
14 November 2021 08:59
BTW, the site you guys made is beautiful. Better support than normal companies :)
14 November 2021 09:38
Thank you
14 November 2021 09:38
did you upload the file?
14 November 2021 09:40
and why did you change my creds ... are you planing to hack me too ? :(((((
14 November 2021 09:40
The encryptor didn't uploaded yet, looking for it rn.
14 November 2021 09:41
What do you mean about creds? From what?
14 November 2021 09:42
you change the credential to login to this site
14 November 2021 09:43
It was necessary because whether I upload the encryptor other researchers will be able to login and read your conversation.
14 November 2021 09:45
It's a potential data leakage so I have prevented it
14 November 2021 09:45
Thanks
14 November 2021 09:46
would you share the link here or email?
14 November 2021 09:50
Here is safe now
14 November 2021 09:50
ok
14 November 2021 09:51
why do you prefer protonmail?
14 November 2021 09:56
is it on tor?
14 November 2021 09:56
https://www.virustotal.com/gui/file/12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be?nocache=1
14 November 2021 09:57
Thanks. I dont have virus total account but at least I got the hash. Really appreciat eit
14 November 2021 09:58
we have mcafee and symantec and nothing prevented this :(
14 November 2021 10:01
Actually I didn't spend too much time to hide it but I will
14 November 2021 10:02
What a recovery company are you from?
14 November 2021 10:02
not from company, directly the SOC team
14 November 2021 10:03
I got it
14 November 2021 10:04
working with the management to do something
14 November 2021 10:04
they may hire someone in hope of recovery.
14 November 2021 10:05
Unfortunately for them there are only two options:
1) start from a scratch
2) purchase the decryption software from us
14 November 2021 10:06
yes I have provided all the data
14 November 2021 10:07
Recovery companies no matter what they say can't decrypt.
14 November 2021 10:08
I understand but in the demo they show us how they can do the magic and impress the management
14 November 2021 10:08
THey told us that they will recover the keys from the memory and then decrypt files? is that possible?
14 November 2021 10:09
For ESXi servers it's not possible
14 November 2021 10:09
why not? please educate me to I can understand and tell the management not to waste time. We have way too many vendors here
14 November 2021 10:11
The encryptor software rewrites the key from memory.
14 November 2021 10:12
what? :( ... liek in simple words please?
14 November 2021 10:13
Array of bytes in memory where the key resides in rewrites to prevent such operation
14 November 2021 10:13
Thats awesome. Is this for all servers or only esxi?
14 November 2021 17:39
For all of course
14 November 2021 17:50
so if we end-up hiring a company that charges us $400 an hour, its pretty much useless?
14 November 2021 17:53
BTW, the array of memory that you mentioned, these are the public keys or the private keys?
14 November 2021 17:54
Encryptor even don't know anything about private keys. It only has public keys. Public keys need to encrypt random field which uses in encryption process.
14 November 2021 17:57
In my opinion spending money to external IT companies will only waste your valuable time.
14 November 2021 17:59
Thanks, appreciate it. Its clear to me now
14 November 2021 18:00
Hey, how much data have you stolen 100Gig?
16 November 2021 06:24
And the price you provided $20,000,000 is way too much
16 November 2021 06:25
This is 20 million $?????
16 November 2021 06:25
Yes, your company has $2B revenue. We usually rate 1% of revenue
16 November 2021 06:29
:(
And the total you have stolen in GB?
16 November 2021 06:34
I am guessing you used the VPN to get on the network. Did you steal the credentials after that? SYmantec and McAfee didn't prevent stealing credentials?
16 November 2021 06:36
We have 32 Gb total.
Almost all AntiViruses are useless against real hackers.
16 November 2021 07:40
unfortunate but true
17 November 2021 05:16
For some reason the IT guy told us that they can see certain portion of files and they could be decrypted.
17 November 2021 05:17
I think you are only encrypting certain portion of files right? they can see the file content in bigger files
17 November 2021 05:17
There is a spotted encryption mechanism. If you are talking about ESXi files then I don't think they can. Some text files - yes
17 November 2021 05:31
I mean the big files are not fully encrypted. They are encypted at the header and then footer I think ... but in the middle one can see the text.
17 November 2021 05:35
It's true. First 4Kb, the last, and a few blocks in the middle
17 November 2021 07:33
But this is nto true for ESXi files? everything for them is encrypted?
17 November 2021 08:34
also how efficient is your encryption process? are you faster than lockbit2.0?
17 November 2021 08:36
we also got one file for lockbit but was protected that was few weeks ago
17 November 2021 08:37
I didn't compare it with lockbit but my software is quite fast, especially ESXi
17 November 2021 09:36
How is it going with decision making?
17 November 2021 09:38
its slow, we provided all the data and making sure they understand the complexity
17 November 2021 09:43
But for the esxi part, you don't use partial encryption? and everything is encrypted?
17 November 2021 09:44
not just 4kb header etc
17 November 2021 09:44
can you please explain 2 things to understand . Explain a bit more on how you re-write the keys in the memory and the efficiency of esxi encryption. That way I can explain to everyone as well, that no hope for recovery
17 November 2021 10:04
most probly I will ask for discount shirtly
17 November 2021 10:05
It's very simple. ESXi files especially virtual drives are very fragile. Even few changes make them unreadable because it has a binary structure.
ESXi was encrypted using spot method. 4 Kb of beginning of the files, 4 Kb of ending of the file and along file. Totally 100 Kb over the each file is encrypted. It's a quite enough.
17 November 2021 10:52
cool and the memory re-writing? as I understand you are not creating a new key for each file
17 November 2021 10:53
The memory overwrite is my last question. So I can make sure the SOC team understands
17 November 2021 11:02
When encryptor starts it creates a random field which will be used in encryption process. It is static. After encryption process finishes it rewrites to prevent restoration process. RSA keys private and public only use to encrypt/decrypt the random field. Only knowing the field it's possible to decrypt files. Encryptor has only public RSA keys, decryptor - private RSA keys.
17 November 2021 11:11
by random fields u mean aes?
17 November 2021 11:13
No, a truly cryptographic random field.
17 November 2021 11:13
like PRNG or truly random numbers?
17 November 2021 11:15
Of course not PRNG:)
17 November 2021 11:15
:(
17 November 2021 11:15
can you give me an example
17 November 2021 11:15
so you have the origanal private key. The ransomware generates fields that will encrypt files? are these fields used as keys? for aes?
17 November 2021 11:16
You are one smart guy
17 November 2021 11:17
Actually I already disclose you a lot of details which was never disclosed to anyone. I think it's enough to make a decision.
17 November 2021 11:17
Thanks
17 November 2021 11:18
AES is a chiper, I use a different one - some kind of Vernam's chiper. It's impossible to decrypt without knowing the keys.
17 November 2021 11:18
that means only one key will be used for all files and then re-written
17 November 2021 11:27
so no way to get back
17 November 2021 11:27
In simplified version the key used to encrypt all files. It exports to the disk using a few RSA public keys applied. Then encryption process follows. After that the key rewrites to prevent recovery from memory.
Decryption software has RSA private keys to initially decrypt the exported key.
17 November 2021 11:31
Whats the BTC address or wallet?
17 November 2021 11:40
I made an offer at the right panel
17 November 2021 11:51
you came into the network via global protect. Are you still on the network?
17 November 2021 11:54
No
17 November 2021 11:55
you are very honest for a hacker
17 November 2021 11:55
We are all honest who works at Hive
17 November 2021 11:56
but they say you hacked hospitals like [redacted] etc
17 November 2021 11:57
Yes, we attack every targets, we have no limits here. It's not related with honesty
17 November 2021 11:58
Got it
17 November 2021 11:59
I think the time is up :(
20 November 2021 18:07
Don't worry you have time. Tell me how is it going with upper management please
20 November 2021 19:58
working on it, tough situation
24 November 2021 04:57
Hi, how is it going?
29 November 2021 07:02
good thanks
3 December 2021 15:53
how r u
3 December 2021 15:56
I'm good too. I just wanted to know to what direction your company inclined right now.
By the way, what about a recovery process from memory from recovery company you told earlier?
3 December 2021 16:17
They think the recovery is possible
5 December 2021 05:26
also backup etc
5 December 2021 05:26
Let's play with the price. I think both your management and our side want to resolve this as quick as possible
5 December 2021 06:06
Whats the best price?
6 December 2021 08:57
I am not sure if 333 is even remotely possible
6 December 2021 08:58
They won't even consider 80 a possibility
6 December 2021 08:58 Read
I can offer you $3,000,000 in Bitcoin.
6 December 2021 11:01
This information is provided by Valéry Marchive
