DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Still think you can negotiate with REvil and get your files back? Read this first.

Posted on June 30, 2021 by Dissent

The government and professionals involved in ransomware incident response have often advised victims not to pay the ransom because even if you pay, you may not get your data back, and you may not get your data deleted by criminals who pinky swear that they will delete it. Then, too, they may pinky swear that they will never attack you again or misuse the data they stole from you, but we’ve also seen that happen.

But if you need another reminder of why not to pay,  the following chat log  contains excerpts from a recent chat involving a victim who paid REvil, who had promised them a decryptor key, support, and a file tree of all the files REvil had exfiltrated.

After you read the excerpts below, ask yourself whether you think  REvil was lying in this interaction when they claimed they had exfiltrated data or whether they were lying later when they claimed that they hadn’t exfiltrated data.  And if you don’t know what to believe, what would you do if you find yourself in the victim’s situation next week?

Either way, REvil inflicted self-injury to their reputation by showing that their word could not be relied upon.

The initial demand in the incident below was for $50,000. After some negotiations, it was down to $25,000

[…]

Victim: OK, let me talk to my boss and get back to you.

Victim: Just so I’m clear that payment would get us a decryptor for all our encrypted computers?

REvil Support: of course

Victim: OK we are working on getting the money together right now. Did you take any files from our computers? And how fast after we pay could we get the decryption software?

REvil Support: few minutes 

Victim: OK thats good to know but my boss still wanted to know about whether or not you guys took our data before we sent the money.

REvil Support: We took your data 

Victim: What did you take?

REvil Support: It will take more than a month to analyze the data. If all you need is a data, leave this chat. 

Victim: We still want to move forward with payment for the decryptor we are just trying to understand what data was taken because it could impact our customers and we care about them. If you can give us a list of files it would help us a lot. Can you confirm that the bitcoin wallet is still [redacted]? Will you help us if something goes wrong with the decryption?

Victim: We want to make payment today if you can confirm the wallet for us. We don’t want to send it to the wrong place.

REvil Support: [wallet redacted] yes it is the right adress 

Victim: thanks for verifying.

Victim: we are getting ready to make payment. Are you able to provide us a Dir listing of what you exfil’d?

REvil Support: of course

 […]

Victim: OK we sent the 0.77 Bitcoin, please confirm as soon as you get it.

REvil Support: confirm  
REvil Support: yes for all network  
REvil Support: waiting 3 confirmations  

Victim: We are trying to decryption tool now. You said before you would provide us with a directory listing of the files you took. Can you send that now?

Victim: We are trying to decrypt systems but you guys changed our domain admin password and we can’t get any further without that. Can you tell us what you changed it to?

REvil Support: wait for answer 

Victim: Did you find the password? We can’t decrypt some systems without it.

REvil Support: wait for answer 

REvil Support: 123456seX 

Victim: That worked thank you. We are still decrypting some of the systems. Do you have a directory listing of the files you took in the meantime?

REvil Support: We did not take any data from you

So REvil lied — either when they claimed they had exfiltrated data or when they claimed they hadn’t.

DataBreaches.net reached out to the company that we think may have been the victim, but the only response received so far was an auto response (no pun intended) offering us a great warranty on a car purchase.

As a reminder, REvil has previously made clear that they do not give victims any of their data back at all. They claim that doing that would violate their privacy policy, but they will give paying victims a file tree showing what was allegedly exfiltrated.

Of course, how would a victim know that REvil didn’t just take a screencap of a directory and grab a few files for proof?  Perhaps victims who are tempted to pay ransom because they fear  that REvil exfiltrated their files should demand substantial proof of that claim — more than just a handful of files posted as proof of claim.

Related posts:

  • SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files
  • A chat with DarkSide
  • Five Affiliates of Sodinokibi/REvil Have Been Arrested by Now
  • Apex America hit by Sodinokibi ransomware
Category: Commentaries and AnalysesMalware

Post navigation

← JP: Japan Airport Refueling Co. discloses ransomware incident; refueling work not impacted
NY: Cyber attack at Massena Central School under investigation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.