Hello guys, I am the person in charge to negotiate with you on behalf of my client. The amount of XMR requested to my client to get the decryption tool, the files back available and not published in the dark web (I have seen some exfiltrated data are published on your blog) is huge and my client cannot afford to fully pay your claims. My client is trying to cope with this difficult situation, since it has been heavily struck by the current economic crisis due to the coronavirus pandemic, with a dramatic fall of sales in the last months. My client’s net revenues amount to EUR 500.000,00 in the last financial statement (2.5 billion as gross revenues, which is a not relevant data if you guys are acquainted with economics). The financial situation of my client has been catastrophic since 2010, with a substantial decrease y/y in net revenues and gross operating profits. The cyberattack you have carried out on my client’s systems has blocked the company operation and all its internal operations have been shut down including deliveries, and as a consequence my client is not able to fulfil the market with its copper products and get revenues. My client has already had to make budget cuts and fire many of its employees or put them on unemployed insurance, with devastating effects on families and children amid the economic crisis due to Covid19. Therefore, it is impossible for my client to pay you 7.5 million USD. According to my client’s financial condition, I think he might be considering paying a certain amount in order to protect his business and to obtain the decrypting tool for all the files very quickly. However, such amount would be lower than the one you have requested, due to the heavy financial situation. In my personal opinion, my client has the financial availability to pay you 500.000 USD very quickly. A greater amount would be very difficult (almost impossible in my very personal opinion) to be paid because of the current financial situation. Let me know on this point.

What kind of discount are you guys thinking about? My client is really in a dire economic situation as previously said and I will try my best to convince him to add few money on the negotiation table. However adding money to his last offer would entail more budget cuts and firing more employees, leaving families without livelihood in this dramatic financial crisis.

we are not bluffing and you do not know the financial situation of my client. However I will get back to you as soon as my client gives me a feedback on your so called "discount"

Oh well, so you guys are familiar with economics. Are you sure you are able to read the numbers? My Client has been losing money since 2010. In the consolidated financial report you exfiltrated you can see that in the first three months of 2020 only the financial loss amounts to EUR [redacted] M. And take a look at the net financial position as at 31 March 2020 which is negative by EUR [redacted] M. Moreover, look at bond trading level (30% yield) that my client needs to repay: [redacted]. The financial situation of my client is negative. I think you picked the wrong victim and the financial analysis you have performed prior to undertaking the hacking operations is absolutely wrong. Look at the chart herein attached and maybe you will be able to understand that economics is not hacking and my client is not Grubman nor Travelex nor [redacted] (the latter, just to remain in the [redacted] boundaries and a victim you may know). With regard to the insurance manual you guys have exfiltrated please note that the insurance company Chubb does not cover the expenses related to a ransom payment but only the expenses my client is is facing for business interruption and recovery. This being said, my client needs to resume normal operations as soon as possible minimising financial losses due to inactivity caused by your actions. So we need to find a trade-off between your requests and my client’s capability to pay. Too much money requested and really my client does not have that financial capability. My client understands your position and aspirations but can’t reach that amount. Overnight I convinced my client to add more money on the table. His offer now amounts to 750.000,00 but this will entail more sacrifices in terms of employment and debt repayment. People will be fired amid this financial crisis but I guess you guys don’t care about people left without livelihood. If you guys don’t accept it, my client will set up the new infrastructure without data. It won’t be easy but my client is pretty sure to go back on the business within a few weeks. I mean my client is making the argument that the cost to restart the new infrastructure without data will not be higher than 700-800 k USD. That amount represents the break-event point for my client. If my client pays a dollar more, it won’t be convenient for him. So accept these 750 k USD or set a new affordable price or get nothing. If you accept or if you set a price which my client is able to meet, he will start the payment process as soon as possible, after finding a trusted exchange. Please stop the countdown as usual during the negotiations with your hacking group.

Do you mean if we do not strike a deal in 1 day 8 hours and 41 minutes you will double the price requested?

Ok guys. What I am trying to let you understand is that my client is not in a good financial position and the financial statement you have had to chance to read clearly testifies what I am saying. The production plants are on hold and people are put on unemployed insurances and are being fired. I know that you guys don’t care because your goal is your personal profit. You carried out a perfect and clean job on my client’s network I have been told and you clearly deserve to be rewarded for your work. The issue is not if my client is willing to pay but how much money my client can afford to pay without worsening his financial condition and safeguarding jobs and families. This is the main issue. You guys are considering the data exfiltrated as valuable data that may cause a catastrophic reputational damage to my client if disclosed to the general public. Well, this is not the case. My client is not interested if you guys disclose [redacted] email dump or NDAs or whatever document you have in your hands. The value of the data you guys have stolen is irrelevant to my client. My client resells commodities ([redacted]) with a B2B model, there’s no industrial secret to be protected. And again, please believe me that I’m not bluffing on this point. You have read the documents you have stolen and you guys are experienced in the field: I bet you haven’t found any information worth USD 6.75 M. Any. So again, my client is interested in a quick restore of its network. Analysts have estimated that to restore the systems from scratch it will cost around EUR 800 k. Than there is the business interruption which is also covered by the insurance policy you have had the chance to read. If my client gets the decrypter, the network will be restored faster and the business will restart in a matter of days. Otherwise it will take longer but the costs incurred by my client will be integrally covered by the cybersecurity insurance policy. This being said, we are at a negotiation table. Your demands (USD 6.75 M) do not match our last offer (USD 750k ). We are way too far to reach an agreement. You guys say that our last offer do not you’re your expectations and to come back with a higher offer. But you guys have not lowered your request and showed any availability to reach an agreement and a win-win solution for both the parties involved. I mean, this is not a negotiation. Are you guys willing to get a reward for your team? What if I convince my client to put USD 1 M on the table? My client will never pay you the amount you have requested, but with some sacrifice he might be able to reach the USD 1 M threshold.

hey, guys, thank for lowering the price.

I mean that being one of the largest corporations does not imply to be the richest. This is the point

If my client had the financial resources you think the IT department would be stronger and [redacted] systems would be more secure

[redacted] IT department has proved to be very very little in terms of capacity and you guys have been good to leverage the vulnerabilities in [redacted] network. But this is not the point

You are sure that [redacted] has the financial capability to meet your demands. If you look at the reports as well as at the newspaper news you can easily see that [redacted] is in deep trouble.

So I am not bluffing because I have been asked to keep the price as lower as possible. I am an experienced negotiator, I undertook many negotiations with REvil and I know how to talk with you guys. I know the threshold I can or I cannot exceed. This is not the case. My client has a very limited financial ability and I am not fooling you around

So please do reconsider your demands and go for a win-win solution as REvil usually pursue.

Well, it hasn't been my case fortunately! Yes, I confirm I have undertaken many negotiations with REvil affiliates and I have not bumped into a negotiation with a payment of more than 1 M. Two months ago a REvil affilate attacked a very famous italian company. The intial request was 7.5 M USD, with revenues like [redacted]. The deal was closed at USD 750 K. You can ask REvil affiliates if I am not speaking the truth.

Moreover [redacted] does not give a shit about the data you have stolen, so I have been told. So please reconsider you request and maybe we can find an agreement.

I can see your point and I get it. I think I am not mistaken and the situation is similar to the one I mentioned. I mean, the price paid depends on many factors: 1) financial availability 2) ability to restore the network without the decrypter 3) time necessary 4) consistency of backups 5) profit loss for buisness interruption and so on. What I am saying that this is the sixth time I bumped into REvil and my client has never paid more than 1 M USD. But maybe they are exceptions that confirm the rule.

The situation is the following: 1) [redacted] has a very limited financial availability. 2) [redacted] is already working on network restoring (costs will be covered by the insurance policy) 3)the time necessary to restore the network from scratch will be almost 12 days 4) there are backups available on LTO tapes 5) the profit loss for business interruption will be limited and covered by the insurance policy

I get your point but [redacted] offered USD 1 M clean, not 5 k$.

[redacted] does not have $ 5 M. I can try to convince the client to add more money, but there no cash flow to pay the amount you have requested.

I know that the amount offered does not meet your expectations. What's a reasonable amount for you?Take into consideration what I have just told you in this talk

Talk to the client and get back to you in a while

Yes. Talked to the client and they shared that profit margins on revenue that is generated is tiny, and due to the lack of business having actual cash to turn into monero is hard to come by. They understand you ask more money, but they wanted me to let you know that they are having a hard time coming across more money. Now they have access to USD 1.27 M in cash, but it won't be available until Monday since they can't send money with the banks closed.

Hi guys. Sorry for being late but my client took his time over the weekend to have internal meetings in order to respond to your last request. Notwithstanding my client has strived to find more budget to pay your claims, there is no more money available to be put on the table. The financial condition of my client is terribile and you know it and the economic situation of Italy has been catastrophic since a decade with impactson [redacted]. My client can't afford to take away anymore money from the budget needed to run the company operations and to pay employees salaries. It has been a difficult decision and my client is fully aware that this decision could stop the negotiation with you guys and that consequently he won't get the decrypter. However my client has reached the maximum cap and the costs he might face without the decrypter are, according to cybersecurity analysts and loss adjusters, close to $ 1 M. So this is it. Let me know.

Yes, correct. We will need about a day since buying Monero takes time, especially when we use a broker in the USA

Client again took some time to think about to your last offer. Due to the fact that Monero has high transaction rates (around +10%), my client is willing to pay you 1.27 M within the next 48 hours. Client is not able to fully meet your demands as you know and understand. Let me know if this is ok for you and client starts the payment process.

Please do confirm that the decrypter is general and works for each and every system you guys have encyrpted

Be patient, we are working on it. Expect the payment very soon, a matter of hours.

Can you lock the Monero price for us? We are placing our order now.

Payment sent.

Hi guys, thanks for reciprocating with decryptor. During our talks, you told me that in case of ransom payment you would have given my client a sort report on how my client was hacked. Can you please provide such short report? My client is very interested about it and I think that after the successful transaction he deserves to know the entry point and how you gained privileged access to the network. Thanks for cooperation!

hello?

Thank you guys. One last question, did you guys buy the citrix server credentials on the dark web? Or did you obtain the credentials in another way? You know, it is important for my client to understand in order to prevent future attacks from other ransomware gangs.

Thanks. Since you guys have been so available to answer my question, can you please tell me which is the account whose credentials you have purchased? It is very important for my client to ascertain responsibilities of the security incident

Hello guys, sorry to bother you. But since the chat is still open I need one more info from you. It's very important for my client to get the full file tree and the list of the files you have exfiltrated, as well as the logs of the delete operations of such files. Can you help me?