This standard introduction shows a level of professionalism, indicating that the ransomware group uses a standard playbook for negotiating staff. While other ransomware families do not start every conversation with the same introductory message, chat conversations from the ransomware families we analyzed typically include a few key points, which we list here.
What was stolen
While the amount and nature of stolen data varies, it always includes items that are critical to the company, including but not limited to financials, contracts, databases, and employee and customer personally identifiable information (PII). The criminals always offer to decrypt some sample files as proof, and in some cases they will provide a file tree of what has been stolen.
Many victims state that they are willing to pay to decrypt data and prevent it from being leaked, but they simply cannot meet the initial demand. The criminals’ main defense or justification for the price includes either the victim’s bank