forked from Casualtek/Ransomchats
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path20210820.json
255 lines (255 loc) · 12.2 KB
/
20210820.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
{
"chat_id": "20210820",
"messages": [
{
"party": "Victim",
"content": "Please help us in decrypting the files",
"timestamp": "20/08/2021, 23:27:05"
},
{
"party": "Conti",
"content": "We will provide details on how to proceed shorty. 10-15 minutes.",
"timestamp": "20/08/2021, 23:32:29"
},
{
"party": "Conti",
"content": "As you already know - your network and all of your data were encrypted by CONTI team. Besides the encryption process we've downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website\nThe recovery price is $980000 (20.02 btc). If you want to make sure we can recover all of your data - you can send us the two files of your choice and we will decrypt them free of charge.\nIf we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches.\nWe strongly recommend to review our offer in a timely manner.",
"timestamp": "20/08/2021, 23:48:25"
},
{
"party": "Victim",
"content": "Are we able to see what is in that larger pack of documents that you took from us? This is a lot of money for us to pay without knowing what we are paying to protect.",
"timestamp": "22/08/2021, 02:15:37"
},
{
"party": "Conti",
"content": "Yes, sure. Will upload asap.",
"timestamp": "22/08/2021, 02:18:32"
},
{
"party": "Conti",
"content": "listing_[redacted].rar [ 1.8MB ]",
"timestamp": "23/08/2021, 00:12:44"
},
{
"party": "Conti",
"content": "[redacted]DATA.zip [ 74.2MB ]",
"timestamp": "23/08/2021, 00:18:31"
},
{
"party": "Conti",
"content": "Upon conclusion of the agreement, our price includes\n1) Universal decryptor for your network\n2) Permanently delete all stolen information + logs of removing\n3) Security advisories and report how we infiltrated your system\n---\nYou can choose any 2 files from the listing, we will discard them as proof that the files were really stolen\nYou can also send 2 files for a free decrypt\nHIDE",
"timestamp": "23/08/2021, 00:34:34"
},
{
"party": "Conti",
"content": "How quickly do you want to conclude an agreement?",
"timestamp": "23/08/2021, 00:35:09"
},
{
"party": "Victim",
"content": "Quickly, but we need some time tomorrow to review what you sent. It's late on a Sunday and no one is here. We'll get you an update tomorrow.",
"timestamp": "23/08/2021, 00:35:48"
},
{
"party": "Victim",
"content": "Hello. We have spent the day reviewing and wanted to see if you would be able to accept $228,000 in return for a quick payment tomorrow. We can start looking for bitcoin brokers in the morning if this is acceptable.",
"timestamp": "24/08/2021, 02:03:09"
},
{
"party": "Conti",
"content": "No. We can give a small discount for speed\nDo you need a decryptor and data deletion?",
"timestamp": "24/08/2021, 02:12:53"
},
{
"party": "Victim",
"content": "Yes we need both. We will work to pay quickly. What can you do to help us?",
"timestamp": "24/08/2021, 05:55:35"
},
{
"party": "Conti",
"content": "Good\nIf you pay until the end of the week - Discount% 30\n$ 680.000",
"timestamp": "24/08/2021, 06:01:15"
},
{
"party": "Victim",
"content": "Ok, it's late here so I will bring this to the team first thing in the morning. Thank you.",
"timestamp": "24/08/2021, 06:02:48"
},
{
"party": "Victim",
"content": "Thanks for being patient with us. I had a chance to talk with our finance team after they spoke with our primary bank today. We have the ability to take out a $60,000 loan which we can offer you. This would set us up to be able to pay you $288,000. We would really appreciate it if we can come to some sort of agreement as we have exhausted our options to come up with cash for you. I'm doing all I can here to get approvals and such, but it's just posing to be challenging.",
"timestamp": "24/08/2021, 18:59:30"
},
{
"party": "Conti",
"content": "We see what you want to conclude an agreement and can make a small step\n$ 630.000",
"timestamp": "24/08/2021, 21:53:09"
},
{
"party": "Conti",
"content": "[redacted] - until the end of the week",
"timestamp": "24/08/2021, 21:53:31"
},
{
"party": "Victim",
"content": "Thanks. I will get in touch with our finance team and CEO in the morning to see what they are able to find. I know that they had not had positive news with our secondary bank given that someone told them it was for a ransom and they declined our application. Is there any BEST price that we could pay if we agreed on something tomorrow? Right now you are asking for more than double what we can possibly offer you, so maybe there is some benefit if we can pay you fast?",
"timestamp": "24/08/2021, 23:18:45"
},
{
"party": "Conti",
"content": "We can make it $500k if we close the deal tomorrow.",
"timestamp": "25/08/2021, 03:54:43"
},
{
"party": "Victim",
"content": "Ok let me get the team together in the morning and I will get back to you. Thank you.",
"timestamp": "25/08/2021, 04:26:28"
},
{
"party": "Victim",
"content": "Ok, I was able to have a meeting with the finance team and CEO to discuss your proposal. We really appreciate your willingness to come down for us in return for a quick payment. The team had been able to confirm that if paid today, we can offer $330,000. But we would need to know soon because there are some hurdles on our end to try to get a payment out today.",
"timestamp": "25/08/2021, 16:06:51"
},
{
"party": "Conti",
"content": "$500.000\ntoday.",
"timestamp": "25/08/2021, 16:09:49"
},
{
"party": "Victim",
"content": "We don't have access to $500,000 today, tomorrow, next week, or any time. We are trying to giving you our best offer that we can here, because anything higher is impossible for us to pay you.",
"timestamp": "25/08/2021, 16:13:12"
},
{
"party": "Conti",
"content": "Do you remember that we've had access to your network and went through your financial data? We wouldn't ask for anything you are unable to afford.",
"timestamp": "25/08/2021, 17:18:14"
},
{
"party": "Victim",
"content": "Yes, but if you saw our expenses you would see that our margins are extremely slim. Our industry relies on being the most affordable option, which means accepting slim margins to get work. Revenue may look good, but when we realize only 2% to 4%, you start to see that we are not extremely profitable",
"timestamp": "25/08/2021, 17:22:29"
},
{
"party": "Conti",
"content": "I'll talk to the team anyways, will try to get smth better but not sure if my boss agrees.",
"timestamp": "25/08/2021, 17:26:01"
},
{
"party": "Victim",
"content": "Thank you. I know you guys are looking to make money off of us, but we just want to be realistic with you here regarding what we can actually pay.",
"timestamp": "25/08/2021, 17:30:23"
},
{
"party": "Conti",
"content": "350k$ today",
"timestamp": "25/08/2021, 17:59:48"
},
{
"party": "Victim",
"content": "Okay, we are working on this",
"timestamp": "25/08/2021, 21:08:15"
},
{
"party": "Victim",
"content": "Will you be around in about 1-2 hours? We should have the funds sent to you by then",
"timestamp": "25/08/2021, 22:50:42"
},
{
"party": "Conti",
"content": "ok",
"timestamp": "25/08/2021, 22:52:14"
},
{
"party": "Victim",
"content": "Payment has been sent",
"timestamp": "25/08/2021, 23:28:50"
},
{
"party": "Victim",
"content": "Are you there?",
"timestamp": "25/08/2021, 23:50:40"
},
{
"party": "Conti",
"content": "yes",
"timestamp": "25/08/2021, 23:52:22"
},
{
"party": "Conti",
"content": "We expect confirmations",
"timestamp": "25/08/2021, 23:52:49"
},
{
"party": "Conti",
"content": "[redacted]_decryptor.exe [ 103kB ]",
"timestamp": "26/08/2021, 00:37:18"
},
{
"party": "Conti",
"content": "Decryptor: \n1) Launch the decryptor under Administrative rights \n2) Wait till the decryptor window is closed \n3) if any of the files haven't changed the extension back to the original - repeat 1 and 2",
"timestamp": "26/08/2021, 00:37:46"
},
{
"party": "Victim",
"content": "Thank you, what about the log for removing the stolen information and the security advisories and report? When will we receive those?",
"timestamp": "26/08/2021, 02:30:51"
},
{
"party": "Victim",
"content": "Hello?",
"timestamp": "26/08/2021, 20:31:17"
},
{
"party": "Conti",
"content": "wait please",
"timestamp": "26/08/2021, 20:36:46"
},
{
"party": "Conti",
"content": "- We recommend that you configure restrictions on system actions for ordinary users on all workstations.\n- Change passwords every 2 weeks and create more complex\n- Install an antivirus on every computer \n- Disable lsas dump on all computers\n- Monitoring of users on the network 2 times a week\n- Restrict access to servers for regular users\n- Reduce the number of domain admins\n- Set up a more complex data backup system",
"timestamp": "26/08/2021, 20:37:31"
},
{
"party": "Conti",
"content": "[redacted].log [ 16.2MB ]",
"timestamp": "27/08/2021, 03:02:06"
},
{
"party": "Victim",
"content": "Thank you. Are you able to share the exact computer and method used to access our network?",
"timestamp": "27/08/2021, 15:09:23"
},
{
"party": "Victim",
"content": "Why does the deletion log have fewer files than the file tree that you sent earlier? 166,429 files in the listing.txt vs the 149,914 files in [redacted].log",
"timestamp": "27/08/2021, 18:23:16"
},
{
"party": "Victim",
"content": "Hello?",
"timestamp": "27/08/2021, 23:47:16"
},
{
"party": "Conti",
"content": "These are directory. Your files are removed. We work honestly.",
"timestamp": "29/08/2021, 13:56:53"
},
{
"party": "Victim",
"content": "What does that mean \"these are directory?\"",
"timestamp": "29/08/2021, 14:53:19"
},
{
"party": "Victim",
"content": "Also, are you able to share the exact computer and method used to access our network?",
"timestamp": "30/08/2021, 15:23:35"
},
{
"party": "Conti",
"content": "mail",
"timestamp": "30/08/2021, 22:22:47"
}
]
}