AT&T pays $177 million settlement to more than 67 million customers
AT&T has agreed to a $177 million settlement to resolve class action lawsuits stemming from two major data breaches: one that originated in 2019 (or earlier), and another disclosed in 2024. The settlement received preliminary approval from a federal judge in Texas last week.
The 2019 breach involved the leak of sensitive data—including Social Security numbers, names, email and mailing addresses, phone numbers, dates of birth, and account passcodes—for over 7 million current and more than 60 million former AT&T customers, with this data appearing on the dark web. The 2024 breach impacted “nearly all” AT&T cellular customers, with hackers stealing about six months’ worth of call and text records from a third-party cloud platform, though this data did not include the content of calls or texts or highly sensitive personal identifiers.
The settlement allocates $149 million for the first class (related to the 2024 breach) and $28 million for the second class (related to the 2019 breach). Customers who suffered damages “fairly traceable” to the breaches may be eligible for larger payments, while others whose personal information was exposed may receive a smaller share after legal fees and administrative costs are deducted. Notices to potential claimants will begin in August, with a final approval hearing scheduled for December 3, 2025, and payments expected to start in early 2026.
Notable Examples of Data Breach Class Action Settlements
The AT&T case is not unusual. Numerous class action lawsuits have resulted in settlements or verdicts for data breaches across various industries. These cases typically involve companies paying significant sums to affected individuals or, at the very least, providing them with compensation, credit monitoring, or other benefits.
T-Mobile (2022): Settled for $350 million after a 2021 data breach impacting about 77 million U.S. subscribers. The settlement included direct payments to claimants and a commitment to invest $150 million in data security.
Equifax (2017): Agreed to a settlement of around $380 million for a breach affecting nearly 150 million Americans, with an additional $125 million for out-of-pocket costs. The company also committed to improving its cybersecurity practices.
Capital One (2021): Settled for $190 million after a breach exposed the personal information of 100 million people.
Home Depot (2014): Paid $134.5 million to credit card companies and banks, $19.5 million to consumers, and an additional $25 million to financial institutions after a breach affecting over 50 million credit card numbers.
Uber (2022): Settled for $148 million after a data hack exposed the information of 57 million drivers and riders.
Netgain Technology (2025): Agreed to pay $1.9 million to settle claims from a data breach between September and November 2020, with affected individuals eligible for up to $5,000 in documented losses.
NCB Management Services (2025): Settled for $2.63 million after a breach exposed the personal information of over 1.6 million individuals, with payouts up to $2,500.
To pay the ransomware demand or not?
AT&T agreed to a $177 million settlement to resolve class action lawsuits stemming from two major data breaches, far greater than the estimated $800 thousand ransomware demand. So why did AT&T choose to refuse the cybercriminals’ demands?
Paying a ransomware demand does not eliminate the risk of future class action lawsuits, and evidence shows it often compounds legal and financial risks. Breach notification laws require companies to disclose data breaches regardless of ransom payments, which often triggers class actions. Paying a ransom doesn’t erase the fact that data was compromised. Lawsuits focus on negligence in security practices, not payment decisions. Plus, entities like the FTC or state attorneys general can still impose fines for inadequate data protection, irrespective of ransom payments.
There are other risks involved with paying a ransomware demand. Paying threat actors sanctioned by OFAC (e.g., Russian groups) risks federal prosecution, and even third-party facilitators (insurers, incident responders) may also face penalties.
Let’s face it: Research shows that 30–40% of victims never receive functional decryption keys after payment—a massive mistake by the ransomware community that severely lowered their leverage with victims. To add insult to injury, attackers may still leak/sell data or demand additional payments.
Paying ransomware demands also acts as a marketing tool for ransomware gangs. The payment funds criminal enterprises, incentivizes future attacks, and signals vulnerability, increasing the likelihood of repeat targeting.
Recommended approach to a ransomware demand
For these reasons, experts recommend that victims do not pay ransoms. The FBI and cybersecurity experts uniformly advise against payment due to legal risks and low success rates. Instead, they suggest victims prepare for litigation by notifying affected parties within 30–60 days of breach discovery to reduce regulatory penalties, followed by third-party security audits to demonstrate due diligence.
How to negotiate a ransomware demand
Not all companies refuse to pay. For example:
| Company | Year | Ransomware Group | Amount Paid (USD) | Details/Notes |
|---|---|---|---|---|
| CNA Financial | 2021 | EvilCorp | $40 million | Initial demand was $60 million; paid after systems were locked down and data stolen. |
| JBS Foods | 2021 | REvil/Sodinokibi | $11 million | Paid to restore operations after global ransomware attack; FBI confirmed payment. |
| Caesars Entertainment | 2023 | ALPHV/BlackCat (Scattered Spider) | $15 million | Paid via SEC disclosure; initial demand was $30 million. |
| Change Healthcare | 2024 | ALPHV/BlackCat | $22 million | Paid to recover systems and data; initial demand was $22 million. |
| CDK Global | 2024 | BlackSuit | $25 million | Paid after two attacks; initial demand escalated from $10 million to over $50 million. |
The decision to pay is not a quick decision but rather one that is made after several steps in ransomware negotiations have been taken.
Engage Experts and Incident Response Teams
Most companies lack the expertise and do not negotiate directly with attackers. Instead, they engage specialized ransomware negotiators—either from incident response firms or through their cyber insurance providers. These professionals have experience in cybercrime negotiations and understand the technical, legal, and financial risks involved.
Assemble a Crisis Management Team
Organizations form a crisis management team that includes IT, legal, and executive leadership. This team works with negotiators and cybersecurity advisors to assess the situation, verify the extent of the attack, and determine the best course of action.
Secure Systems and Assess Backups
Before any negotiation begins, companies work to secure their systems and determine whether recovery from backups is possible. This helps inform whether negotiation or payment is even necessary.
Initiate Communication
Negotiations typically start with establishing a secure communication channel, often using encrypted chat platforms or dark web services provided by the attackers. Negotiators, of course, will try to stall for time to allow their teams to assess damage and prepare for recovery.
Gather Intelligence
During negotiations, companies seek to learn as much as possible about the attackers—such as their identity, tactics, and what data was stolen or encrypted. Negotiators may also request proof that the attackers actually have the data and can decrypt it.
Negotiate the Ransom Amount
Professional negotiators attempt to lower the ransom demand. This can involve multiple rounds of back-and-forth, with negotiators making counteroffers and testing the attackers’ willingness to compromise. Reductions of 50% or more are not uncommon, with some negotiators reporting reductions exceeding 85% (see the table above).
Request Proof of Decryption
Before making a payment, companies often ask the attackers to demonstrate that their decryption key works by decrypting a sample of encrypted files.
Coordinate Payment
If payment is agreed upon, companies arrange for the transfer of cryptocurrency. This process is usually managed by financial and legal teams to ensure compliance with regulations and to avoid violating sanctions.
Monitor for Further Threats
After payment, companies monitor for any further attacks or data leaks and take steps to close security gaps identified during the incident.
But if you pay, remember this…
Negotiations must consider the risk of violating sanctions or other laws, especially if the attackers are based in sanctioned countries. Many come from “enemy” countries, making such payments illegal. And there is no guarantee that attackers will honor their promises, even after payment.
Transcripts of real-life ransomware negotiations
Ransomchats maintains a github repository of real-life ransomware demand negotiations that have been used for research, training, and public awareness. Here are some of the ransomware demand transcripts they have collected.
BlackMatter example 1
| party | content | timestamp |
|---|---|---|
| Victim | hi | 29 Aug, 22:22 PM [NY time] |
| BlackMatter | Hello | 30 Aug, 02:49 AM [NY time] |
| Victim | Looks like our files encrypted by you, can you please assist? | 30 Aug, 10:37 AM [NY time] |
| BlackMatter | Oh sure | 30 Aug, 10:49 AM [NY time] |
| BlackMatter | What can I help you with? | 30 Aug, 10:50 AM [NY time] |
| Victim | we’re here to negotiate, our management wants to make sure that you have our data if we are to pay, can you provide some proof of the data, sample data etc.? | 30 Aug, 11:31 AM [NY time] |
| Victim | Please let us know if we can obtain some proof data. Thanks. | 30 Aug, 20:25 PM [NY time] |
| BlackMatter | Have you received files? Do you need more ? | 31 Aug, 11:33 AM [NY time] |
| BlackMatter | If so let us know, we wil prepare more data for download | 31 Aug, 11:33 AM [NY time] |
| Victim | No we have not received the files, please send or let us know where to download the proof data. Also, we would like to see files in our buffalo backups since those systems were formatted we would like to make sure those files are available too. Thanks for working with us! | 31 Aug, 12:01 PM [NY time] |
| BlackMatter | All backups was securely deleted to prevent you from recovery process. Everything else was encrypted, we will prepare archive with stolen data in 30 mins, stay in touch. | 31 Aug, 12:08 PM [NY time] |
| BlackMatter | https://privatlab.org/s/v/[redacted] | 31 Aug, 14:10 PM [NY time] |
| BlackMatter | There is little sample with clients info autocad drawings and so on, check it out | 31 Aug, 14:10 PM [NY time] |
| BlackMatter | https://privatlab.org/s/v/[redacted] | 31 Aug, 17:48 PM [NY time] |
| BlackMatter | Its filee tree | 31 Aug, 17:48 PM [NY time] |
| Victim | Thank you! I will send these to our management for review. | 01 Sep, 00:44 AM [NY time] |
| Victim | They asked if you could provide proof of some of the files below: | 01 Sep, 00:45 AM [NY time] |
| Victim | \\vhost2\data\v[redacted]\v[redacted]\virtual machines\ A few files from this folder. 192.168.0.31\data\sqldata\db[redacted]_eng.mdf 192.168.0.31\data\sqldata\[redacted].mdf | 01 Sep, 00:45 AM [NY time] |
| Victim | Also, while we’re reviewing the files, is it possible that the timer can be stopped as we’re working on the funds? Thank you so much! | 01 Sep, 00:48 AM [NY time] |
| BlackMatter | We cannot share files like you asking for because it is database files, and one of them is database of backup software. Timer updated. | 01 Sep, 03:31 AM [NY time] |
| Victim | Thank you. Does that mean you don’t obtain those .mdt requested above, and cannot provide them after payment, we would need to use the decryptor to decrypt them, correct? | 01 Sep, 23:26 PM [NY time] |
| BlackMatter | You’re right. Usually we directly download files instead of download whole VM. | 02 Sep, 03:13 AM [NY time] |
| BlackMatter | Hello, any news? | 05 Sep, 12:38 PM [NY time] |
| Victim | Hi. We checked the portal a couple of days ago and this chat portal was down, I couldn’t get in to chat with you. I made a request via “Contact Us” button, (Request ID: [redacted] for your reference.) And we had a long holiday weekend. Can you extend the timer again due to the portal being down? | 06 Sep, 02:30 AM [NY time] |
| Victim | Also, our management wants to make sure, once the payment is make: 1) you will provide us the data back through download, 2) you will delete our data from your side and provide proof, 3) you will provide us the decryptor, with support if there is any question or issue with the decryptor), 4) you will tell us how you hacked our network, 5) you will not publish the data or the blog post / any media that you hacked our network and data. We were just able to test the decryption too now that the portal is back up. Please confirm and I will let my management know. Thank you! | 06 Sep, 02:47 AM [NY time] |
| BlackMatter | First of all we add 3more days in timer. 1. We will setup temporary onion website where you can download your files to understand which ones was downloaded. 2. We will provide shreder log-files with reports of deleted files so you will compare it with files ha you download. 3. Support for decryption available 24/7/365, but don’t have any cases where it was needed. 4. Short penetration-test report with main killchain and recommendations how to prevent this in future. 5. Data in blog published only when we lost contact, so dont worry about it. | 06 Sep, 03:13 AM [NY time] |
| Victim | Perfect. Thank you for the confirmation! | 06 Sep, 10:22 AM [NY time] |
| Victim | Our management had a meeting today and they would like to ask if you will take $150,000. We know this amount is small compared to your initial demand, but please understand that we sell [redacted] to school and government, and as you know, since covid started, all school has closed or gone online so no one has been buying our [redacted], therefore we have been suffering as many other business. Also, looking at your main page, where you mention that you do not attack government sector, if we work with school and government like that, do we qualify for the free decryptor? Just thought we’d check. Again, thank you for working with this. Please let us know if any of these works for you. | 06 Sep, 10:28 AM [NY time] |
| BlackMatter | Hello. You do not fall under our rules, it will not work for free. Maybe you mean 150k discount? We know your cash flow and amount what we’re asking for is not overpriced. | 06 Sep, 10:49 AM [NY time] |
| Victim | Thanks for verifying that we do not fall under your rules. Please understand that we are a small company and do not have significant capital, and we are here to negotiate in good faith. Our management would like to know the amount that you can come down off the initial demand. Thank you. | 07 Sep, 14:00 PM [NY time] |
| BlackMatter | We can provide 20% discount and reduce 20% boost if you want to pay in bitcoin. So our best offer ~4-4.5M | 07 Sep, 14:10 PM [NY time] |
| BlackMatter | You’re not so small how you want | 07 Sep, 14:29 PM [NY time] |
| BlackMatter | [picture] | 07 Sep, 14:29 PM [NY time] |
| Victim | Hi. the bank statement isn’t actually telling much, we have expenses that the bank statement doesn’t show, and a lot of those money in the statement are not ours, they’re on-hold funds from other entities. If we were to pay 4M based on that bank statement, we would be out of business. Our management came back with $250,000, which is the most that they can get at this point. Please understand and help us out. | 07 Sep, 18:50 PM [NY time] |
| BlackMatter | Its too low, take a loan or smth because your offers is awful. We better lost amount that you offers than take this. We dont care. | 07 Sep, 18:55 PM [NY time] |
| Victim | Can you please give us more discount? Really covid and everything have been hitting us hard. We really appreciate your help, anything we can get. | 07 Sep, 18:57 PM [NY time] |
| BlackMatter | Sure we can but its about 250k in total. | 07 Sep, 18:58 PM [NY time] |
| Victim | Sorry I didn’t get that … | 07 Sep, 19:00 PM [NY time] |
| BlackMatter | Lets try to safe your and our time. We setting price for 2.5M$ for 72h. There is enough time to take decision. If you will stuck in exchange or something we will add more time. | 07 Sep, 19:03 PM [NY time] |
| BlackMatter | Price and timer updated. Tell to you manager that he must think twice, lost encrypted data and publish whole company secrets versus 2.5M$. | 07 Sep, 19:10 PM [NY time] |
| Victim | Hi. Our management has gone to the board and this is a huge number for them, they can try to squeeze out $350K now, please help work with us here and see if this is acceptable. Thanks for your help! | 08 Sep, 14:37 PM [NY time] |
| BlackMatter | its too low. we will not accept this amount, dont try this, safe your time | 08 Sep, 14:47 PM [NY time] |
| Victim | We’ve been going out to get loans from the banks and able to get $500K total. We can pay within the next 24 hours if you accept this amount. Please let us know. Thank you! | 09 Sep, 13:33 PM [NY time] |
| BlackMatter | Its still too low. Get 1M more and we will make a deal with highest discount in history. | 09 Sep, 15:04 PM [NY time] |
BlackMatter example 2
| party | content | timestamp |
|---|---|---|
| BlackMatter | Hello and welcome to BlackMatter. How may I help you? | 07 Sep, 00:44 AM [NY time] |
| Victim | Hello | 10 Sep, 04:46 AM [NY time] |
| Victim | I need help with decrypt my data | 10 Sep, 04:46 AM [NY time] |
| BlackMatter | To decrypt your files you have to purchase the decryption software. It costs $15m for you. | 10 Sep, 04:57 AM [NY time] |
| Victim | This is too hiigh a price. Give me proof that the price is adequate for the data you have. | 10 Sep, 05:20 AM [NY time] |
| BlackMatter | First of all, can you introduce yourself, state the company name and your position in it. | 10 Sep, 07:13 AM [NY time] |
| Victim | I am a spokesperson for the company and I will sell the information to my customer. Because this is not secure communication, I do not want to state the name of the company and I assume that we will delete this chat after the meeting. | 10 Sep, 07:25 AM [NY time] |
| Victim | I am authorized to communicate with you on behalf of the company and to establish conditions that will be acceptable to both parties. | 10 Sep, 07:26 AM [NY time] |
| Victim | First of all, I would be happy if we set a price that is negotiable. Next, it would be good to submit information about the data you have in your possession so that we can consider paying the ransom and start negotiating the price. | 10 Sep, 07:29 AM [NY time] |
| BlackMatter | We have the doubts you are from company we need the proofs that you are from there. | 10 Sep, 07:29 AM [NY time] |
| BlackMatter | So how can you prove it? | 10 Sep, 07:30 AM [NY time] |
| Victim | I can’t prove it. We’re gonna have to trust each other. | 10 Sep, 07:33 AM [NY time] |
| Victim | If you want to pay, then this is the only way to come to an agreement. So that emotions are not used in the negotiations, I am here as an intermediary. My client doesn’t want to negotiate, even though it seems to be the only option. Although they have backups, but the restoration will take some time, so I would like to negotiate an adequate price. | 10 Sep, 07:36 AM [NY time] |
| BlackMatter | You cant prove it because you don’t know it. This is just confirmed our doubts have a nice day. | 10 Sep, 07:35 AM [NY time] |
| Victim | We are a protected society and I cannot afford to openly write who it is. I only know the owner of the company who owns several companies. | 10 Sep, 07:37 AM [NY time] |
| Victim | If you do not want to cooperate, then I will pass this information on to the customer and the media to make it obvious that BlackMatter are a group of crooks. | 10 Sep, 07:43 AM [NY time] |
| BlackMatter | This is ridiculous, you can prove it in hundreds different ways, without compromising so called “privacy”. | 10 Sep, 07:43 AM [NY time] |
| Victim | Give an example.I only know the owners of the companies. | 10 Sep, 07:46 AM [NY time] |
| BlackMatter | To start a cooperation, we have to know with whom we a dealing and you failing it. So far you looks as some boring guy who got a sample from virus total and obtained the chat link. | 10 Sep, 07:46 AM [NY time] |
| Victim | They found this file in their system and that’s why I came to your page C:\[redacted].README.txt | 10 Sep, 07:48 AM [NY time] |
| BlackMatter | You can upload the company’s letterhead, you can tell to us domain controllers name, name of backing up software it is just a few) | 10 Sep, 07:49 AM [NY time] |
| Victim | Actually I don’t have much time to deal with authorization. I want to help the customer and negotiate the terms of cooperation. Just because anyone can watch this chat, I don’t want to share any information and prove that I am who I am. Do you want to negotiate the price? | 10 Sep, 07:50 AM [NY time] |
| BlackMatter | So far it looks as your main objective is to f*ck with us) | 10 Sep, 07:52 AM [NY time] |
| Victim | The environment is isolated and analyzed by the forensics team and the police. I can’t interfere with the investigation, and all the documentation has been encrypted, as the customer told me. | 10 Sep, 07:52 AM [NY time] |
| Victim | I certainly don’t feel like fucking with you. I want to talk and get this thing resolved as soon as possible. | 10 Sep, 07:53 AM [NY time] |
| BlackMatter | Here we go again, to negotiate with whom with some random Joe? | 10 Sep, 07:53 AM [NY time] |
| BlackMatter | Ok, this is simple prove you are from company or just go grab another sample from VT. | 10 Sep, 07:54 AM [NY time] |
| Victim | Yes, let’s talk about price and what you get for our data. Then we can discuss the price of the decryptor. | 10 Sep, 07:55 AM [NY time] |
| Victim | What is VT? | 10 Sep, 07:56 AM [NY time] |
| BlackMatter | Oh [redacted] you so clever) virustotal.com | 10 Sep, 07:56 AM [NY time] |
| Victim | Oh, I see. So how do we do it? | 10 Sep, 07:59 AM [NY time] |
| BlackMatter | You have the options 1. Internal windows domain name. 2. Domain administrators name. 3. Backup software name. This information aren’t locked by encrypting software or police) | 10 Sep, 07:59 AM [NY time] |
| Victim | 1) [redacted] | 10 Sep, 08:04 AM [NY time] |
| Victim | 2) administrator | 10 Sep, 08:04 AM [NY time] |
| BlackMatter | 2) administrator this is too generic give us another one | 10 Sep, 08:06 AM [NY time] |
| Victim | [redacted] | 10 Sep, 08:08 AM [NY time] |
| BlackMatter | Ok, John thank you. So you see the price, you need to pay it. | 10 Sep, 08:12 AM [NY time] |
| Victim | Are we really not? This bill was sent to me by their owner. I’m gonna look like a fool if we don’t agree on a price. | 10 Sep, 08:16 AM [NY time] |
| BlackMatter | Your English is too sophisticated for me, can you try again) | 10 Sep, 08:19 AM [NY time] |
| Victim | Are we really not? This account was sent by their owner. If we don’t make a deal, I’m gonna look like an idiot. | 10 Sep, 08:22 AM [NY time] |
| Victim | I don’t speak English, so I translate automatically. | 10 Sep, 08:23 AM [NY time] |
| BlackMatter | You see the demanded price. If you’ll pay it you will get. 1. The decrypting tools. 2. Your data back (we took 1.5TB, PII, NDA, emails, MSSQL databases) 3. A file tree. 4. Explanation how the company was breached. | 10 Sep, 08:31 AM [NY time] |
| Victim | The price is not adequate. Give me a price I can pass on to the owner of the company. | 10 Sep, 08:40 AM [NY time] |
| BlackMatter | We have no idea what a price is adequate for you. We can make 10% discount for fast payment and remove 25% BTC transaction fee. Make the offer. But to make it simple we will not consider the offer less than 7-figure number. | 10 Sep, 08:46 AM [NY time] |
| Victim | Our idea was $500,000, but we can negotiate a price of $1,000,000. Give us proof that there is information sensitive enough to be of such value. | 10 Sep, 08:50 AM [NY time] |
| BlackMatter | Do you want me upload a sample with office documents? The emails and sqls are too big but we have them all.) | 10 Sep, 08:53 AM [NY time] |
| BlackMatter | One more detail we know the company doesn’t have the backups. Rubrik is gone) | 10 Sep, 08:55 AM [NY time] |
| Victim | We have offline backups. Ok show me the office document and a screenshot of the database. | 10 Sep, 09:03 AM [NY time] |
| Victim | Do you also have the passwords of the domain users? Give me a screenshot. | 10 Sep, 09:04 AM [NY time] |
| BlackMatter | You have tapes for [redacted] but they are useless without software. | 10 Sep, 09:05 AM [NY time] |
| BlackMatter | This is the screenshot for DA hashes and passwords. https://ibb.co/[redacted] | 10 Sep, 09:09 AM [NY time] |
| Victim | We have a backup created by other software and transferred to a SAN to a backup data center. Restoration will take a long time, but it is possible. What databases do you have? | 10 Sep, 09:13 AM [NY time] |
| BlackMatter | Yo can get the sample by following link. https://privatlab.com/m/v/[redacted] We will not make DB screenshots too much work. | 10 Sep, 09:14 AM [NY time] |
| BlackMatter | We have dbs from [redacted]SQL SQL2014Test [redacted]SQL1 [redacted]-SQL [redacted]-SQL | 10 Sep, 09:17 AM [NY time] |
| Victim | Data in databases should be encrypted. Just because you have database servers doesn’t mean anything. | 10 Sep, 09:22 AM [NY time] |
| BlackMatter | Should or is? ) | 10 Sep, 09:25 AM [NY time] |
| Victim | According to IT, it should be. Let’s make a deal like this. If the data in the database is encrypted, we’ll pay you $100,000 to decrypt it for us. If the data in the databases is not encrypted, then we’ll pay you $700,000. $700,000 is the price we have to invest in recovery, and if the recovery with the decryptor is faster, then we’ll save money on service outages. | 10 Sep, 09:29 AM [NY time] |
| BlackMatter | To complicated, we said what will provide if we’ll agree on price. $700k is unacceptable. | 10 Sep, 09:42 AM [NY time] |
| Victim | Okay, then the price is $1,000,000 if the data is readable. | 10 Sep, 09:47 AM [NY time] |
| BlackMatter | Without any conditions, you are paying for decrypting tools and fast recovery, the data is collateral. You will not recover so easily without decryptor. We can do negotiations pretty long; time is on our side. If you are want to finish this fast make the acceptable offer. | 10 Sep, 09:54 AM [NY time] |
| Victim | The data you hold is worse for us than having to recover it. The data you hold is worth no more than $1,000,000, which is why we are offering this price. We can restore the data from offline backups (we have tested this). A higher price than $1,000,000 is not acceptable to us. If you don’t accept this price, then I need to check with the owner of the company what we will do next and if we can offer more money. | 10 Sep, 09:59 AM [NY time] |
| BlackMatter | How you evaluate data’s price can I see a formula? | 10 Sep, 10:04 AM [NY time] |
| BlackMatter | You can do incremental and we can do decremental steps, make the offer that we can turn down. 1 is to far away from 15. | 10 Sep, 10:12 AM [NY time] |
| Victim | We evaluate it subjectively. We have already written to people about PII, so the reputational impact has already occurred. We’re gonna put new passwords in Active Directory. Office documents aren’t that valuable to us. The only thing of value is the databases. | 10 Sep, 10:16 AM [NY time] |
| Victim | 15 is meaningless. I thought 15 was just a number, but not the actual ransom. | 10 Sep, 10:18 AM [NY time] |
| BlackMatter | We just checked the random db, data is fine and not encrypted. Have a look. https://ibb.co/[redacted] | 10 Sep, 10:18 AM [NY time] |
| Victim | I understand, but for us only the know-how and customer information in the databases is worth anything. | 10 Sep, 10:20 AM [NY time] |
| Victim | I can see it now. Then name a price that makes sense for both sides. | 10 Sep, 10:21 AM [NY time] |
| BlackMatter | Nothing sn meaningless, we did a good pentest for your company it has to be rewarded. $1kk is not enough. Do some consultations and come with a better offer. | 10 Sep, 10:22 AM [NY time] |
| BlackMatter | One of your competitors was hit the same yesterday if it helps to your feelings. | 10 Sep, 10:24 AM [NY time] |
| BlackMatter | If you will offer the good price today we can make a decent discount for you. | 10 Sep, 10:25 AM [NY time] |
| Victim | I need to check with the management and the owners. What competitor do you think? | 10 Sep, 10:57 AM [NY time] |
| BlackMatter | By the way they offer much more then you. | 10 Sep, 11:01 AM [NY time] |
| Victim | I guess they don’t have backup. | 10 Sep, 11:17 AM [NY time] |
| BlackMatter | You either, you tried to do it on Sunday but you know what has happened. | 10 Sep, 11:19 AM [NY time] |
| Victim | We are restoring. I’m gonna go talk to the management. | 10 Sep, 11:23 AM [NY time] |
| BlackMatter | https://ibb.co/[redacted] | 10 Sep, 11:24 AM [NY time] |
REvil
| party | content | timestamp |
|---|---|---|
| Victim | Hi. So how can you help? | 25 days ago |
| REvil | The system works as follows: you transfer the amount in crypt currency Monero (XMR) to the wallet specified on your page. After payment you receive: – Universal decryptor for your all network – The complete deletion of all your files with our warranty not to use the data for any purpose. – Deleting blog – 100% confidentiality of this incident and all terms of the transaction on our part. | 25 days ago |
| Victim | How do we know that what you have is worth the money? | 24 days ago |
| REvil | Wait for answer. | 23 days ago |
| Victim | Waiting | 23 days ago |
| REvil | I provide you additional proofs below and recommend you hurry up with decision, because payment procedure can takes time. If you don’t pay, your files will be published to the blog and shared to media, other data will be sold. Anyway it will influence to your reputation, think about your customers and fines and other troubles waiting for you. We offer you solution to avoid everything of this. | 22 days ago |
| Victim | Password? | 22 days ago |
| REvil | Password: 123123 | 21 days ago |
| Victim | Thanks | 21 days ago |
| REvil | How much time will it take you to make the payment? | 21 days ago |
| REvil | Hello, we are tired of waiting for you, if there is no response from you in a day, we will publish screenshots of some of your files for the media – this will be the first warning for you. But even if it does not affect you, we will publish all your data. We recommend that you make a decision. | 18 days ago |
| Victim | can we get more time ? | 15 days ago |
| REvil | Hello We see no attempts on your part to engage in a serious conversation. If you do not pay, your files will be published on the blog and transferred to the media, the rest of the data will be sold. In any case, it will affect your reputation, think about your clients, fines and other troubles awaiting you. You will not have more time if we do not see the prepayment. | 15 days ago |
Lockbit3.0
| party | content | timestamp |
|---|---|---|
| Victim | [Chat started] | 29.03.2023 15:52:26 UTC |
| Victim | Hello, can someone please help us? We’ve received some calls telling us that our company is posted on some website. We need to talk this through with you but that posting has to be removed before we do. | 29.03.2023 15:52:51 UTC |
| LockBit 3.0 | Hi, yes, we can help. We’ll delete the post now. | 29.03.2023 15:53:37 UTC |
| LockBit 3.0 | Post deleted. To decrypt the data and avoid publication you need to pay us. | 29.03.2023 16:23:44 UTC |
| Victim | How much? | 29.03.2023 16:50:09 UTC |
| LockBit 3.0 | $2,000,000 | 29.03.2023 17:00:24 UTC |
| LockBit 3.0 | We will send you a tree of some of your data that we have downloaded. Select a few files from the list and we will send them to you as proof. | 29.03.2023 17:00:41 UTC |
| Victim | We need to see everything that you took, before we even consider that amount. | 29.03.2023 17:07:34 UTC |
| LockBit 3.0 | Download link: http://lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion/r/VmT_e83d36#JUJA8/mBkFFM00AbKH3NQ05wHAQIVn3XEbo/L6++qg8= | 29.03.2023 17:12:01 UTC |
| LockBit 3.0 | Password: dmCjKu!4oTDl5X@7#OZWI9ESh | 29.03.2023 17:12:26 UTC |
| LockBit 3.0 | The entire list of downloaded data is kept confidential so as not to violate the privacy of the company and the data we downloaded. We do not know exactly who we are negotiating with and will not disclose such information. | 29.03.2023 17:12:42 UTC |
| LockBit 3.0 | time to pay | 04.04.2023 11:21:25 UTC |
| Victim | can you provide these files? | 04.04.2023 15:36:15 UTC |
| Victim | PSE DIRECT DEPOSIT FOR CLIENTS.pdf, Card List 062818.xlsx, AR Aged Trial Balance Xcel Voyager through 08.26.2021.pdf, ReportsDownloaded181219125827.zip | 04.04.2023 15:36:58 UTC |
| LockBit 3.0 | yes | 04.04.2023 15:48:56 UTC |
| LockBit 3.0 | http://lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion/r/josE4h6zkh#BlrARE0XcSZtfAbgoxSLIffrw0yJ+KthTZOKMN8buAk= | 04.04.2023 16:05:36 UTC |
| LockBit 3.0 | time to pay | 10.04.2023 12:38:36 UTC |
| Victim | We’d like to pay but you have to understand that the number you’re asking is totally out of reach for us. We dont have that kind of money, we’re just a small privately owned business. We can’t afford anything near that number. | 10.04.2023 14:30:58 UTC |
| LockBit 3.0 | We know exactly what kind of company you are, we have studied you. In addition, we have a lot of your data. You are a multimillion-dollar company that can afford that amount. The only question is whether you are willing to pay damages and losses after your data is published. If you continue to negotiate like this, we will go nowhere and we will be forced to go public. | 10.04.2023 14:40:59 UTC |
| Victim | We’re not sure what you’re looking at, but we have not been doing as well as we were in the past. $2 million isn’t something we can afford to lose, nor something we have on hand. We want to make a deal and still need your help with our files, but if we could work towards a more affordable price that would really help things move faster for both of us. | 10.04.2023 16:59:27 UTC |
| LockBit 3.0 | And we are not sure of your interest in making a deal.Therefore, we will not give you a discount at this stage. | 10.04.2023 17:48:28 UTC |
| Victim | We also are not sure of your interest in making a deal, we’ve stated several times that we can’t afford $2 million yet you haven’t been willing to provide us with a lower number. | 11.04.2023 14:16:50 UTC |
| LockBit 3.0 | Then change the negotiator or invite a more interested person in resolving the issue.Who will not waste time.It is extremely stupid to ask for a discount on nothing, not offering anything in return.Right? | 11.04.2023 14:23:34 UTC |
| LockBit 3.0 | You want a discount, we can give you a discount of 1%. It’s a good discount. And the amount will be less than $ 2000000, pay. You have achieved what you wanted. The next step is up to you. Waiting for payment \ | 11.04.2023 14:25:14 UTC |
| LockBit 3.0 | when will you pay? | 14.04.2023 16:13:20 UTC |
Qilin
| party | content | timestamp |
|---|---|---|
| Qilin | Hello. I’m here. How can I assist you? | |
| Victim | Hello? | 3.02.2025 22:39:55 |
| Qilin | Your company’s network is attacked and the entire system is encrypted. We have downloaded all the company’s confidential data. After payment you will receive. 1. Decryption tool for all devices 2. Complete list of files taken from the network. 3. Proof that all your data has been deleted. 4. Information about how we got into the network. 5. Security recommendations to stop future attacks. 6. Promise that we will not attack you again in the future. 7. Guarantee that we will forget about this incident. | 3.02.2025 22:56:43 |
| Victim | ok, what do we need to do? | 4.02.2025 14:38:51 |
| Qilin | We will provide the list of files what we took from you as soon as possible and you can offer 3 names of files from it and we will provide them as a proof of availability. Also you can send 3 encrypted files and we will decrypt them as a proof that our decryption tool really works. But these files must not contain a valuable information. | 4.02.2025 15:22:44 |
| Qilin | file tree.txt (0.232 MB) | 4.02.2025 21:1:24 |
| Victim | Thank you, I’ll review and pick out some files | 5.02.2025 13:33:45 |
| Victim | Please provide us with copies of the following files: – [redacted].xls – [redacted].pdf – [redacted].docx | 6.02.2025 21:47:33 |
| Qilin | We will do it as soon as possible. | 6.02.2025 21:56:52 |
| Qilin | [redacted].docx (0.032 MB) | 6.02.2025 23:16:34 |
| Qilin | [redacted].xls (0.039 MB) | 6.02.2025 23:17:11 |
| Qilin | [redacted].pdf (0.484 MB) | 6.02.2025 23:17:24 |
| Victim | ok, so next I’m suposed to send you encrypted files? How am I supposed to get to those when you’ve encrypted the server? | 7.02.2025 22:41:36 |
| Qilin | In order for you to make sure that we can really help you decrypt all your files and prevent all your information from going online – you can offer us some test files … and we will decrypt them. After full payment you will get a full activation key to your computers and forget about us forever. | 7.02.2025 22:46:12 |
| Victim | ok, I need to get with out team when they’re back on Monday to see what we’re able to get and send to you | 8.02.2025 21:18:21 |
| Qilin | On Monday we are waiting. | 8.02.2025 21:34:31 |
| Victim | What kind of files are we allowed to upload? All we’ve been able to get are some encrypted log files, will that work? | 10.02.2025 22:33:30 |
| Qilin | You can select 2-3 random files from the list, and we will upload them to this chat as proof of availability. To prove that we can decrypt your data correctly, you can upload 2-3 encrypted files to our chat, and we will upload the decrypted copies back | 10.02.2025 23:55:52 |
| Victim | Please decrypt the following files: | 11.02.2025 3:7:3 |
| Victim | [redacted] (0.555 MB) | 11.02.2025 3:7:18 |
| Victim | [redacted] (0.238 MB) | 11.02.2025 3:7:32 |
| Victim | [redacted] (0.239 MB) | 11.02.2025 3:7:43 |
| Qilin | [redacted].log (0.551 MB) | 11.02.2025 10:47:46 |
| Qilin | [redacted].log (0.234 MB) | 11.02.2025 10:47:53 |
| Qilin | [redacted].log (0.234 MB) | 11.02.2025 10:47:57 |
| Victim | Thank you. We are considering your demands, is there any way you could provide a discount to your price? | 12.02.2025 14:7:45 |
| Qilin | As a sign of goodwill and quick closing of the deal, we are ready to give a 10% discount and stop at the price of 63,000 dollars. You can pay this amount as we have reviewed your financials. Talk to the management and pay, after payment you will get everything you agreed on. | 12.02.2025 14:10:48 |
| Victim | Understood. If we only require either the decryptor or confidentiality, would the cost be adjusted accordingly? | 13.02.2025 13:48:56 |
| Qilin | Understand that we don’t have something that requires you to pay separately for something. Any payment includes all our terms and conditions. It depends whether you need decryption or not. Should your data be deleted or not, etc. Everything is included in the complex. Hurry up, there is very little time left. | 13.02.2025 13:51:54 |
| Victim | That makes sense. We have some key decision makers that are flying in to discuss your deal. We expect to have an update for you early next week. | 14.02.2025 15:16:43 |
| Qilin | As we see that you are interested in making a deal as soon as possible, we do for you an exception and extend the timer till the 19th of February for you to make a decision with your management and inform us about the payment. Please, don’t delay with it, otherwise we will return with the tools which are stronger. You must understand that as the timer will expire we will post your files on our blog. | 14.02.2025 16:16:45 |
| Victim | Our apologies, we are awaiting a decision from leadership. Can we have one more day to consider your offer? | 19.02.2025 17:4:56 |
| Qilin | we extended the timer for 24 hours. | 19.02.2025 17:8:38 |
| Qilin | So you just had a meeting about finances. What do you have to offer? We are willing to make an additional discount and accept payment from you today. The price will be 60,000 dollars. That’s a very good discount. We’re ready to make the deal today and start rebuilding you. It’s up to you. Time is running out today. | 20.02.2025 18:27:40 |
| Qilin | We see that you are not interested in the security of your patients and choose to play the silent way. Tommorow we will publish a press relise about you on our blog, and in a couple more days all of your data will become public. You still have time to start collaborating and do it without any attention from the press and the public. | 26.02.2025 12:58:15 |
| Qilin | http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=[redacted] | 26.02.2025 12:59:41 |
Conti
| party | content | timestamp |
|---|---|---|
| Victim | Hi Are you there? I need your help urgently kindly reply me. My system is behaving abnormally after infected by your ransomware. | 2/9/2021, 9:38:39 AM |
| Conti | Yes, we are here. Will provide further details within next few minutes. | 2/9/2021, 9:48:37 AM |
| Conti | As you already know – your network and all of your data were encrypted by CONTI team. Besides the encryption process we’ve downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. How it happens can be seen on our website https://continews.best/ (TOR mirror: http://fylszpcqfel7joif.onion). The recovery price is $850000 in bitcoin. If you want to make sure we can recover all of your data – you can send us the two files of your choice and we will decrypt them free of charge. If we reach mutual agreement your will be provided with decryption tool, none of your internal data will be published and you will be provided with security tips on how to avoid further breaches. We strongly recommend to review our offer in a timely manner, you’ve waited too long to contact us and the press-release is already ready for publication. | 2/9/2021, 9:52:32 AM |
| Victim | Please don’t publish our data anywhere | 2/9/2021, 10:01:20 AM |
| Victim | Tell me your demand how we can fix this thing? | 2/9/2021, 10:01:58 AM |
| Conti | Please read the previous message once again. The recovery price is $850000 in bitcoin. | 2/9/2021, 10:13:15 AM |
| Victim | It’s so much? No Discount? | 2/9/2021, 10:19:00 AM |
| Conti | You have been waiting to contact us for about three weeks while ignoring our emails and still ask for a discount? It’s a luck that you data isn’t published yet. It’s way past the deadline. | 2/9/2021, 10:21:54 AM |
| Victim | I know that I wasted so much time in thinking whether to pay or not but now I am ready to do payment atleast provide some discount please | 2/9/2021, 10:27:03 AM |
| Conti | We can provide a 25% discount by going down to $635k if the payment will be made by the end of this week. | 2/9/2021, 10:29:57 AM |
| Victim | Ok I am ready with this price tell me where I have to pay? | 2/9/2021, 10:37:06 AM |
| Conti | The btc wallet for the payment is : [redacted] Let me know as soon as the payment is made. | 2/9/2021, 10:40:54 AM |
| Victim | Thanks for the discount. Just want to ask one thing. Is your bitcoin address correct? I am getting issue while doing payment on your given address | 2/9/2021, 10:58:53 AM |
| Conti | Yes, it is correct, but it’s a segwit address. I will provide a new one within few minutes. | 2/9/2021, 11:00:23 AM |
| Conti | You can use this one : [redacted] | 2/9/2021, 11:01:23 AM |
| Victim | Thanks but it’s not working is it segwit address or what? both the address are throwing same error. Might be because your address is new or created on blockchain and due to that I am getting the error. | 2/9/2021, 11:07:11 AM |
| Conti | It is a new address, but that should not be an issue. What’s the error code? | 2/9/2021, 11:10:41 AM |
| Victim | Error code is “Transaction Server Failed” Might be because your address is new and empty. If you can provide me another address that have some balance probably it will work sometimes it happened due to zero or null value in blockchain if I am not wrong | 2/9/2021, 11:15:17 AM |
| Conti | Try this one : [redacted] | 2/9/2021, 11:18:14 AM |
| Victim | Thanks for your kind support but I think segwit it creating some issue can your provide non-segwit & non-empty address. | 2/9/2021, 11:21:52 AM |
| Conti | Give me few minutes, I will try to find one. | 2/9/2021, 11:28:50 AM |
| Victim | Ok no issue & Thanks once again for the discount | 2/9/2021, 11:29:41 AM |
| Conti | That’s not a common issue, have you tried to increase the fee? The blockchain network seems pretty busy today. | 2/9/2021, 11:30:53 AM |
| Victim | I tried but it doesn’t work for me. I know sometimes it happens in blockchain due to network issue so, I am not blaming you | 2/9/2021, 11:33:48 AM |
| Victim | Btw Thanks for your amazing support service I thought that ransomware guys never respond properly but after talking to you I was wrong | 2/9/2021, 11:34:50 AM |
| Conti | Glad to hear it. I am trying to find a suitable legacy wallet, but the fact is that we almost never use them, so it might take some time. Anyways, if you will be able to transfer the funds to any of the above wallets we will accept the deposit and provide you with a decryptor. Those three wallets are static and under our control. | 2/9/2021, 11:37:05 AM |
| Victim | Meanwhile I will try no issue I understand your situation. If you have some more addresses and don’t have any problem I will try on others if it works I will let you know | 2/9/2021, 11:38:57 AM |
| Victim | [redacted] kindly check the payment on this address I just tried again I think funds has been transferred | 2/9/2021, 11:43:32 AM |
| Victim | No need to check on that address again I got the error message | 2/9/2021, 11:47:22 AM |
| Conti | [redacted] – try this. | 2/9/2021, 11:54:15 AM |
| Victim | Same thing happening… you don’t have legacy address with some balance. Blockchain network facing load issue I believe | 2/9/2021, 11:57:36 AM |
| Conti | They are accumulated, so it basically has the parent balance. Nevermind, it seems to be a network issue due to high load, so let’s just wait abit and keep trying within some interval. | 2/9/2021, 12:01:02 PM |
| Victim | No Issue, I was also thinking the same I will try it like this only | 2/9/2021, 12:03:37 PM |
| Victim | Can I ask few questions if you don’t have any problem to answer? I am very curious to know about few things | 2/9/2021, 12:04:11 PM |
| Conti | Sure, go ahead. | 2/9/2021, 12:07:14 PM |
| Victim | Like why you started this ransomware business? How much you earned in this business? | 2/9/2021, 12:09:03 PM |
| Conti | Oh, “those” questions. Unfortunately we have no interest in giving interviews, although the answers for both questions are pretty obvious, right? | 2/9/2021, 12:11:38 PM |
| Victim | I know that everyone wants money whether it’s you or me or anyone else this life runs on money. Without money no one can survive | 2/9/2021, 12:13:36 PM |
| Victim | But do you think is this good business anyone can do it very easily because I talk to other people’s they always said that ransomware guys earns lots of money. After wannacry cyber industry is changed | 2/9/2021, 12:15:16 PM |
| Conti | I cannot provide any non-speculative answer to this question cause it’s connected to an ongoing business enterprise. For now it seems to me like I am giving a public interview and as I have already told – we have no interest in spreading our position or opinion. Although I can provide you with some personal view of the situation after the payment is received and I become confident on whom I am speaking to. | 2/9/2021, 12:27:44 PM |
| Victim | Ok no worries I understand | 2/9/2021, 12:37:35 PM |
| Conti | I have to go offline for a while, let me know if you succeed with the payment. Seems like the bitcoin pools are feeling better based on the fact that we’ve managed to make several transactions today. All the provided wallets will be valid for the next 24 hours so you can choose any of them. | 2/9/2021, 5:02:10 PM |
| Conti | Any success with the payment? | 2/10/2021, 10:11:21 AM |
Conti example 2
| party | content | timestamp |
|---|---|---|
| Victim | [redacted]: Please contact me as soon as possible. [redacted]@gmail.com | 1/7/2021, 9:58:18 PM |
| Victim | [redacted]: readme.txt [ 866B ] | 1/7/2021, 10:17:21 PM |
| Conti | Support: Hi. Could you introduce yourself? | 1/7/2021, 10:20:01 PM |
| Victim | [redacted]: My name is [redacted] and I got a message to contact you in regards to an encryption on my computer. | 1/7/2021, 10:20:44 PM |
| Victim | [redacted]: are you the person I need to contact to help me? I sent my email and name to you as you asked. | 1/7/2021, 10:28:29 PM |
| Conti | Support: Your network was ATTACKED, your computers and servers were LOCKED. Take into consideration that we have also downloaded data from your network that in case of not making payment will be published on our news website. After the payment you will get decryptor to all your systems, full file tree of downloaded data, non-recoverable deletion with proof log and security report on how you were hacked. We downloaded all employees private info, company’s financial documents and etc. In case of not making payment will be also published. More than terabyte of private information has been downloaded from your servers. Including financial data of your company, personal data of your employees and their family members, company agreements, and most importantly. | 1/7/2021, 10:37:50 PM |
| Victim | [redacted]: What do I need to do? | 1/7/2021, 10:40:30 PM |
| Conti | Support: Overall price is $900,000. For this price you will get everything mentioned above. Please pass this information on to your management. In the future, we are ready to communicate only with the representative who can make such decisions. We are ready to provide you with a small set of files from different servers of your company. | 1/7/2021, 10:43:31 PM |
| Victim | [redacted]: I am authorized to speak on behalf of the company. Are you the person who sets this price for regaining access to everything? | 1/7/2021, 11:03:50 PM |
| Victim | [redacted]: hello, are you still there? | 1/7/2021, 11:46:28 PM |
| Victim | [redacted]: Is there anyone there? Please at least email me at [redacted]@gmail.com so I can continue to work through this with you. | 1/8/2021, 1:50:15 AM |
| Conti | Support: We are here. | 1/8/2021, 2:41:32 PM |
| Conti | Support: Are you ready to transfer money? | 1/8/2021, 2:41:45 PM |
| Victim | [redacted]: Yes. I would like to fix the problem but I don’t have this amount of money. Please tell me how we can resolve. | 1/8/2021, 5:27:46 PM |
| Conti | Support: According to the public records your revenue is [more than 30],000,000$, so this price is reasonable. https://www.dnb.com/business-directory/company-profiles.[redacted].html Also you should remember that the price is much cheaper then you will pay lawsuits, that your clients will send you and government fines, because you have lost so much of their data. | 1/8/2021, 5:37:26 PM |
| Victim | [redacted]: We would like to fix this problem but we have been out of service during Covid and do not have this amount of money. I am trying to fix and please let me know what we can do. | 1/8/2021, 7:09:42 PM |
| Conti | Support: What is your best proposal? | 1/8/2021, 7:12:28 PM |
| Victim | [redacted]: I have the ability to send 20,000 as soon as I can transfer money. I would like to get this fixed and please let me know if we can get this fixed. | 1/8/2021, 7:40:16 PM |
| Victim | [redacted]: How can we test to see if this can be fixed? | 1/8/2021, 7:41:25 PM |
| Conti | Support: We could not accept that offer, but we could reduce the price and give you the new one 800,000$. We could decrypt 1-2 files as samples. | 1/8/2021, 8:04:33 PM |
| Victim | [redacted]: [redacted].docx.[redacted] [ 15kB ] | 1/9/2021, 6:56:50 PM |
| Victim | [redacted]: [redacted].docx.[redacted] [ 13kB ] | 1/9/2021, 6:57:02 PM |
| Victim | [redacted]: Here are two samples. Can you open them? | 1/9/2021, 6:57:23 PM |
| Conti | Support: Yes. But today is weekend and we will decrypt them tomorrow. | 1/10/2021, 2:58:04 PM |
| Victim | [redacted]: We we are not comfortable paying until you are able to decrypt these samples. Did you take data from us as well? We have a small window of time where buying your keys is useful as we are working on a rebuild. We have a meeting early tomorrow morning, so I will ask you send us: 1) your nest offer, 2 proof that you can decrypt, 3 proof of whatever you claim you stole. $800,000 is still an insane price for us, so if you want us to even consider this, please be realistic. Please send us #1, #2 and #3 as soon as you can. Thank you. | 1/10/2021, 5:50:21 PM |
| Victim | [redacted]: Are you there? Can you decrypt my files? What files did you take? I’m willing to pay you very quickly to unlock my files, but $800k is impossible. If you can prove these things and offer a realistic price, I’ll pay you right away. Thank you. | 1/11/2021, 5:07:22 AM |
| Conti | Support: Yes. We are here and provide samples very shortly. | 1/11/2021, 3:54:31 PM |
| Conti | Support: The price is more then realistic for company with so revenue. What is your best proposal? | 1/11/2021, 3:55:13 PM |
| Conti | Support: [redacted].docx [ 12kB ] | 1/11/2021, 4:07:33 PM |
| Conti | Support: [redacted].docx [ 15kB ] | 1/11/2021, 4:07:39 PM |
| Victim | [redacted]: Thank you. I’m waiting for information about what files you took. Regarding our revenue, if this happened last year at this time, paying this much wouldn’t have been a problem. But with the pandemic and financial crisis, people just aren’t buying cars. We have a large inventory that isn’t selling and by holding onto this inventory like we are, we’re actually losing more money than making money. It will take us months to crawl out of this problem to start making a profit. Revenue is not profit, as you know. | 1/11/2021, 4:08:24 PM |
| Conti | Support: The static shows opposite. A lot of sources say that people start to buy cars more, because of pandemic. Anyway what is your best proposal? | 1/11/2021, 4:14:15 PM |
| Victim | [redacted]: The boss is meeting his financial advisor to find out how much we can afford to pay. I’ll let you know. In the meantime, since you say you took files from us, are you able to show us? | 1/11/2021, 4:18:51 PM |
| Conti | Support: Yes. We could forward you several samples. | 1/11/2021, 4:26:30 PM |
| Victim | [redacted]: Thanks. If the price is something we can afford and we can pay, what do we get? | 1/11/2021, 4:28:31 PM |
| Conti | Support: We wrote you previously. We will give you decrypt tool for all your machines, security report on how you were hacked, file tree on what we have downloaded from your network and wiping log of that information. | 1/11/2021, 4:41:00 PM |
| Conti | Support: Here is several samples: https://www.sendspace.com/file/[redacted] https://www.sendspace.com/delete/[redacted] pass [redacted] | 1/11/2021, 5:38:17 PM |
| Victim | [redacted]: Thanks. Is this all you took? | 1/11/2021, 5:46:39 PM |
| Conti | Support: NO. We took much more, around 1 terabyte. We wrote that previously too, including the data of clients and employees. | 1/11/2021, 5:51:39 PM |
| Victim | [redacted]: What computers did you take files from? 1 tb is a lot of files. Why only 7 files as proof? | 1/11/2021, 6:57:32 PM |
| Conti | Support: It is more then enough. You should understand that downloading data is very easy process when you have an access to the whole system. | 1/11/2021, 7:07:31 PM |
| Victim | [redacted]: Can you let me know what computers files came from? Or provide a list of files? | 1/11/2021, 7:10:35 PM |
| Conti | Support: It is impossible to make so big list. We will try to make a list of servers and desktops. | 1/11/2021, 7:32:11 PM |
| Conti | Support: [redacted].[redacted].local [redacted]ToyDC01.[redacted].local [redacted]GMCDC01.[redacted].local [redacted]oloDC01.[redacted].local [redacted]HonDC01.[redacted].local [redacted]ingDC01.[redacted].local [redacted]MazDC01.[redacted].local [redacted]aprdc01.[redacted].local [redacted]lbqDC01.[redacted].local [redacted]IFP.[redacted].local [redacted]oloHV01.[redacted].local [redacted]oloAPP01.[redacted].local [redacted]oloEX02.[redacted].local [redacted]ways.[redacted].local | 1/11/2021, 7:42:10 PM |
| Victim | [redacted]: Are these the computers you took files from? | 1/11/2021, 7:51:27 PM |
| Conti | Support: NO. That is just a list of servers. We did not make a list of desktops, we usually took from all. | 1/11/2021, 7:56:15 PM |
| Victim | [redacted]: Okay. Of all these 1 TB of files you took, you can only show me 7 files? | 1/11/2021, 7:58:26 PM |
| Victim | [redacted]: We’re working on how much we can afford to pay you, but my boss is asking for some more information. Are you able to send some more files? 7 files is a tiny amount when you say you took 1 TB. | 1/12/2021, 4:05:08 PM |
| Conti | Support: Here is several more files: Download: https://qaz.im/load/[redacted] Delete: https://qaz.im/index.php?a=delete&q=[redacted] pass [redacted] | 1/12/2021, 5:43:18 PM |
| Victim | [redacted]: We reviewed the financials and we can pay you $72,380, but only if you promise to make all our files open and usable again and give back all the files you took. | 1/13/2021, 4:28:44 AM |
| Conti | Support: That is not enough. We could reduce the price and give you a new offer 700,000$. You should remember that the price is much cheaper then you will pay lawsuits, that your clients will send you and government fines, because you have lost so much of their data(Ids, ssn, credit cards). | 1/13/2021, 9:35:25 AM |
| Victim | [redacted]: I can see why you would think that. In reality, regardless if the files you took end up on your news site or not, I still have the same legal requirements and exposure. This was the case the second the files were taken, not if the files get posted or not. I have already begun the notifications to everyone whose data was affected, so it doesn’t matter if the files are posted or not. Now, would I prefer the files not be posted, of course I would. Only because I care about my employees and my customers. | 1/13/2021, 1:54:23 PM |
| Victim | [redacted]: You need to understand that the reason I’m here is to get my files unlocked. I’m already taking a huge financial hit taking care of the legal notifications and the fees associated with that. I just want my files back and unlocked. | 1/13/2021, 1:54:55 PM |
| Victim | [redacted]: I spent all weekend with my finance guy reviewing the accounts and savings and were able to pull together $72,380. Business has not been good during the past year and what you’re asking for is impossible. With COVID and the financial crisis, many people are out of work and aren’t making large purchases. The people who are lucky enough to still have jobs are working from home and aren’t buying new cars. I know you are the only person who can unlock the files, so this is why I’m willing to pay you the $72,380 that I have left. You can understand my situation, right? | 1/13/2021, 1:55:58 PM |
| Conti | Support: We don’t think, that our estimates are incorrect. Your financial reports are somewhat more reliable, than your word here and now. And your proposal here is just from the textbooks – ten times less, than our initial demand. It seems, that you do not understand, how works our group. We don’t ask $20 millions, to receive our demand of $750,000.So you should understand, that our team have plenty of projects running, and yours – just one from many. If we don’t reach an agreement, we’ll just shorten our profit. | 1/13/2021, 2:04:37 PM |
| Conti | Support: Also, your notifications will not save private data of your employees and customers, it will be used long time in many bad purposes. Think about your reputation, which will be damaged in so hard times for business. | 1/13/2021, 2:06:02 PM |
| Victim | [redacted]: I understand what you’re saying and know you are a famous group. I have Googled you and know you are professionals. I know you do this all the time, but please put yourself in my shoes for a moment. There is nothing textbook about this. Nobody saw this pandemic and financial crisis coming. I had no idea that 2020 was going to be as bad as it was. I still have inventory on my lot from 13 months ago. That’s unheard of in my business! I’m hoping 2021 turns around and is better, but until then, I’m just trying to survive. Car dealerships are very low margin, meaning that if I’m able to sell a few cars, the revenue doesn’t necessarily cover my bills or employee salaries. I need to sell a certain level of inventory to make a profit and most months I didn’t. I’ve had to furlough employees just to try to keep the dealership open. I’m willing to do whatever it takes and to work with you for as long as it takes, but I only have $72,380 that I can pay you to unlock my files. | 1/13/2021, 2:28:53 PM |
| Conti | Support: Of course, we understand, that your work here is not easy and requires efforts to convince your board members. But we are still far from agreement. Our estimates are still much higher, than your proposal. We hope, that you will give us better price. And since it is our mutual interest to speed up our negotiations as much, as we can – take more serious steps toward us. It would be much easier than for us to make steps to you in response. | 1/13/2021, 2:32:27 PM |
| Victim | [redacted]: I want to get you your money to get my files back. I know you put time and effort into this and want to get paid. We both want the same thing here. You see this, right? The only obstacle that I have that I need your help with is the high price. I just don’t have that much. I worked to get $72,380 from my accounts to pay you. | 1/13/2021, 5:10:40 PM |
| Conti | Support: That is not enough. There is many ways how you could get additional funds. You could apply on the loan in the bank or take out your savings or cut expenses or sell something and etc. You are just wasting time now. | 1/13/2021, 5:45:36 PM |
| Victim | [redacted]: I don’t understand why the price is so high. You obviously know what my financial situation is and know that I can’t possibly afford to pay you this much. For a bank to give me a loan, they’ll examine my current situation, look at my debt to income ratio and see if I’m actually profitable. I already know what they’re going to tell me. I’m too risky. Can’t we skip all of this time wasting and let me pay you? | 1/13/2021, 6:10:51 PM |
| Conti | Support: OK. We could reduce the price and offer the new amount 500,000$. The price is more then reasonable for that data and your reputation. | 1/13/2021, 6:12:42 PM |
| Victim | [redacted]: How is asking for over $400k more than what I can afford to pay you help our situation? | 1/14/2021, 2:33:42 AM |
| Conti | Support: We told you above that there is several ways to find additional funds. | 1/14/2021, 9:40:32 AM |
| Victim | [redacted]: I’m meeting with a loan officer at the bank today. | 1/14/2021, 2:50:34 PM |
| Conti | Support: Keep updating us please. | 1/14/2021, 4:49:44 PM |
| Victim | [redacted]: Good news. We were approved for a loan for the amount of $45,500. This makes the total amount that I can pay you $117,880. I requested $400k, but due to my debt-to-income ratio and current liabilities, $45,500 is the most they could approve for me. I have contact other lending firms and they all tell me that’s the most I can be approved for, based on my credit and current financials. | 1/14/2021, 7:39:42 PM |
| Victim | [redacted]: We’ve been at this over a week now. We both want the same thing, a payment to get data back. I’ve done all I can at this point. Please, can we agree so I can pay you? This is why you did this, right? | 1/14/2021, 7:40:24 PM |
| Conti | Support: We need some time to discuss this offer. | 1/14/2021, 8:53:19 PM |
| Victim | [redacted]: This is a long holiday weekend and if I can’t pay soon, I won’t be able to until mid-next week. | 1/14/2021, 8:57:44 PM |
| Conti | Support: We could the offer today but it should be more profitable. We could give you some more discount and offer new price 400,000$. | 1/14/2021, 9:52:12 PM |
| Victim | [redacted]: I don’t understand. I’ve pulled all the cash from out of the business and I put my neck out on the line for a loan to come up with $117,880. I don’t have any other options. $400k is impossible for me. I can pay you $117,880 right away. It will take weeks or months before I can pay anything close to $400k. | 1/14/2021, 10:03:01 PM |
| Victim | [redacted]: Are you there? Please let me know if I can pay you $117,880. I understand that you want to make good money for your work, but this is as much as I can possible pay. I can’t get another loan. | 1/14/2021, 10:34:59 PM |
| Conti | Support: We looked throw your finance records, bank accounts and know that you have more available funds. We are ready to give you some discount, but that price is not reasonable. We own a lot of private data which cost much more. | 1/15/2021, 2:21:25 PM |
| Victim | [redacted]: I had to meet with a loan advisor to get more funds to pay you. I want to fix this problem and work with you but I can’t afford anymore then $117,880. This is all I have. We have been out of service during Covid and I can’t come up with anymore money. | 1/15/2021, 4:03:24 PM |
| Conti | Support: You have more funds on your accounts. | 1/15/2021, 4:37:38 PM |
| Conti | Support: We are ready to accept 200,000$. | 1/15/2021, 5:11:18 PM |
| Conti | Support: Are you ready to pay? | 1/15/2021, 8:54:27 PM |
| Victim | [redacted]: I need to meet with the bank to see what my options are and how much more I can borrow. Monday is a federal holiday and the bank is closed. I’ll meet with them first thing in the morning on Tuesday and I’ll let you know. | 1/16/2021, 8:56:24 PM |
| Victim | [redacted]: How do I pay you? Would the bank pay you? | 1/16/2021, 8:56:46 PM |
| Conti | Support: We accept only bitcoins. | 1/18/2021, 8:39:35 AM |
| Victim | [redacted]: Okay I’ll start looking into bitcoin as well. I’ll have an update tomorrow | 1/18/2021, 3:44:26 PM |
| Conti | Support: There is several ways how you could exchange funds. You should check google and choose the most convenient for you. | 1/18/2021, 4:13:13 PM |
| Victim | [redacted]: I found a good bitcoin site. I have a call with the bank in a little bit and I’ll let you know how it goes. | 1/19/2021, 3:09:30 PM |
| Conti | Support: OK. Keep updating us please. | 1/19/2021, 3:13:24 PM |
| Victim | [redacted]: It took some convincing, but I was able to get a $27,000 addendum to my previous loan. With the total loan amount of $72,500 and everything from my accounts, I can pay you $144,880. I have a bitcoin wallet account all set up and ready to use. | 1/19/2021, 4:05:11 PM |
| Conti | Support: We reduce price as much as we can. We totally sure that you had sales during this time, so you have sources from where you could add funds. | 1/19/2021, 4:16:58 PM |
| Victim | [redacted]: There have been no sales since this attack. You have locked up all the computers, leaving me not able to operate at all. This is why I’ve been working on getting a loan and begging and borrowing money from anyone I can. | 1/19/2021, 4:20:21 PM |
| Conti | Support: We went as low as we could. The price is little more then 20% from starting amount. It is very huge discount, especially if we remind that we own a lot of valued documents, credit cards and etc. We could not cut our profit anymore. | 1/19/2021, 4:29:44 PM |
| Conti | Support: I made a request to my managers about additional discount anyway. | 1/19/2021, 4:37:32 PM |
| Victim | [redacted]: Thank you. I really want to pay you to get my computers unlocked. | 1/19/2021, 4:41:59 PM |
| Conti | Support: We understand that and that’s why we gave you so huge discount. We do not have purpose to ruin your business. | 1/19/2021, 4:51:53 PM |
| Victim | [redacted]: I understand. We both want the same thing. We both want a payment so I can get my files back. I’m short $55k and have no other options. | 1/19/2021, 5:00:46 PM |
| Conti | Support: We are ready to reduce a little more a price. The new offer is $185,00. | 1/19/2021, 5:28:39 PM |
| Victim | [redacted]: Okay, thank you. I’ll need more time to find the funds. In addition to getting my files unlocked, what else does a payment get me? | 1/19/2021, 5:50:16 PM |
| Conti | Support: We will return all your data and provide security report. | 1/19/2021, 7:05:45 PM |
| Victim | [redacted]: What about the files you took? You will give that back as well? How does that work? Will you be able to provide proof that you deleted all the files? | 1/19/2021, 10:52:26 PM |
| Conti | Support: We will give you all files and delete them from the cloud. It is not a problem. We never treat clients who paid us, we play only fear games. | 1/20/2021, 2:11:45 PM |
| Victim | [redacted]: I’m trying today to collect more money for you. | 1/20/2021, 5:55:49 PM |
| Conti | Support: OK. Keep updating us please | 1/20/2021, 7:14:51 PM |
| Victim | [redacted]: I’m sorry to say this, but I still only have $144,880. I’m short a little more than $55k. The bank refuses to lend me more. I tried a couple special financing companies, but after running my credit, refuse to lend me any funds. I’ve asked friends and family and all are hurting more than me and can’t help. I just don’t know what to do now. | 1/20/2021, 11:43:15 PM |
| Conti | Support: OK. So we could split the payback. You pay us what you have now and we provide you the decrypt tool. After you pay the rest, we provide your data back. | 1/21/2021, 10:42:26 AM |
| Victim | [redacted]: I don’t feel comfortable splitting up the payments. I rather pay you once and be done forever. | 1/21/2021, 3:32:34 PM |
| Victim | [redacted]: I know you must do this all day, but I just don’t see how $144,880 isn’t enough to unlock my files. | 1/21/2021, 3:34:42 PM |
| Conti | Support: It is not enough compare to your revenue and data which we got from you. So you could use this option and pay in two steps. You could start to work properly even today and find the rest very fast. | 1/21/2021, 3:50:03 PM |
| Victim | [redacted]: I’ll need more time to collect more money. I don’t have a lot of options left. The business is closed down because of this attack. I’ll see what I can do. If I can’t pay, can I come back here in a couple of month when I have the money? Will you still be here? | 1/21/2021, 3:57:43 PM |
| Conti | Support: We could not wait also. Why could you just split the payback and start to work today? | 1/21/2021, 4:08:56 PM |
| Victim | [redacted]: Because I’m scarred to death about paying all I have today and this still going on. No offense to you at all when I say this, but this has been the worst experience of my life. All I want is for this to be over. The stress and anxiety has been unbearable. | 1/21/2021, 4:15:41 PM |
| Conti | Support: We understand that and this is a reason why we gave so huge discount and offer you to split the payment. It is good option for you. The company will start to work today and you could earn the little rest very fast. | 1/21/2021, 4:27:53 PM |
| Victim | [redacted]: I’m working on collecting more money for you today. | 1/21/2021, 4:33:10 PM |
| Victim | [redacted]: Okay, I got $162,792. This is from an extra $17,912. $9,500 was from a personal loan, $3,655 is from personal savings and $4,757 is from a collection the workers did. This puts me at $162,792 that I can pay you. I literally have nothing else to give. I owe a huge debt of gratitude to my workers for their help and need to pay them back ASAP. I have a bitcoin wallet account ready, all I need to do is transfer the funds from the bank. Please let me know. | 1/21/2021, 7:58:48 PM |
| Conti | Support: OK. We could accept that price. Here is the wallet: [redacted] | 1/21/2021, 8:06:45 PM |
| Victim | [redacted]: Thank you. I’m working on getting the money transferred from my bank to the bitcoin account. | 1/21/2021, 9:10:55 PM |
| Victim | [redacted]: After I pay, you will give me a tool to unlock all my files, right? You will also give back all the files you took, prove you deleted them and give me information about how you got in so I can make sure this doesn’t happen again? | 1/21/2021, 9:12:09 PM |
| Conti | Support: That is correct. As soon as we receive payment we provide required info. | 1/21/2021, 9:14:02 PM |
| Conti | Support: How is it going so far? | 1/22/2021, 2:23:32 PM |
| Conti | Support: When do you expect to proceed with the payment? | 1/22/2021, 5:47:09 PM |
| Conti | Support: You should confirm the wallet before transfer. | 1/22/2021, 10:09:55 PM |
| Victim | [redacted]: Hi. I had trouble with my bank. They didn’t allow me to transfer the funds to a my bitcoin wallet because they suspected fraud. I got it cleared up and the wire has started, but it hasn’t arrived yet. Because it didn’t arrive today, it won’t arrive until Monday morning. Is this okay??? Before I transfer the money to you, I will reconfirm your wallet. | 1/23/2021, 1:16:17 AM |
| Conti | Support: OK. Keep updating us please. | 1/24/2021, 6:12:43 PM |
| Victim | [redacted]: All ready to send you $162,792. Is your BTC wallet still [redacted]? If it changed, please let me know. | 1/25/2021, 3:38:51 PM |
| Conti | Support: Here is the new wallet: [redacted] | 1/25/2021, 4:16:23 PM |
| Victim | [redacted]: Okay, sending $162,792 to [redacted] | 1/25/2021, 4:18:47 PM |
| Victim | [redacted]: Just confirming, [redacted]. You said it’s new, but it’s the same one you provided last week. It’s still the correct wallet? | 1/25/2021, 4:22:19 PM |
| Conti | Support: That is correct. | 1/25/2021, 4:30:49 PM |
| Conti | Support: Did you make a transfer? | 1/25/2021, 5:50:09 PM |
| Victim | [redacted]: Yes | 1/25/2021, 6:24:16 PM |
| Victim | [redacted]: https://www.blockchain.com/btc/tx/[redacted] | 1/25/2021, 6:29:06 PM |
| Victim | [redacted]: Do you see the payment? | 1/25/2021, 6:55:03 PM |
| Conti | Support: We received payment and provide required info shortly. | 1/25/2021, 6:57:32 PM |
| Victim | [redacted]: Thanks | 1/25/2021, 6:57:56 PM |
| Conti | Support: 1. The decryption tool uploaded to the cloud. You should launch it with administrator rights and wait until it finishes decryption process. Download: https://qaz.im/load/[redacted] Delete: https://qaz.im/index.php?a=delete&q=[redacted] | 1/25/2021, 7:34:37 PM |
| Conti | Support: 2. Here is the web links on your data: pass: [redacted] Download: https://qaz.im/load/[redacted] Delete: https://qaz.im/index.php?a=delete&q=[redacted] https://www.sendspace.com/file/[redacted] https://www.sendspace.com/delete/[redacted] Download: https://qaz.im/load/[redacted] Delete: https://qaz.im/index.php?a=delete&q=[redacted] https://www.sendspace.com/file/[redacted] https://www.sendspace.com/delete/[redacted] https://www.sendspace.com/file/[redacted] https://www.sendspace.com/delete/[redacted] | 1/25/2021, 7:37:18 PM |
| Victim | [redacted]: 1.rar, [redacted].rar and [redacted]2.rar are empty. Can you send via sendspace? | 1/25/2021, 8:01:17 PM |
| Victim | [redacted]: 1.rar has the decryption tool in it. It’s not opening. Please resend via sendspace. Thank you! | 1/25/2021, 8:02:10 PM |
| Victim | [redacted]: What is the password for 1.rar? (the decryption tool) | 1/25/2021, 8:37:22 PM |
| Conti | Support: Here is password: [redacted] | 1/25/2021, 8:56:33 PM |
| Victim | [redacted]: Thank you! [redacted].rar and [redacted]2.rar are empty. Can you send via sendspace? | 1/25/2021, 8:58:46 PM |
| Victim | [redacted]: Hello? Two of the .rar files you sent via qaz.com were ZERO bytes. Please resend [redacted].rar and [redacted]2.rar via sendspace. Thank you | 1/26/2021, 3:38:07 AM |
