{
	"id": "f68cf886-91d5-46dc-8cac-c706b7806122",
	"created_at": "2026-04-09T02:23:55.340058Z",
	"updated_at": "2026-04-10T03:20:57.66015Z",
	"deleted_at": null,
	"sha1_hash": "4824db5afb2fdfd0304f7f782657a928d0af4016",
	"title": "Still think you can negotiate with REvil and get your files back? Read this first. - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48187,
	"plain_text": "Still think you can negotiate with REvil and get your files back?\r\nRead this first. - DataBreaches.Net\r\nPublished: 2021-07-01 · Archived: 2026-04-09 02:19:38 UTC\r\nThe government and professionals involved in ransomware incident response have often advised victims not to\r\npay the ransom because even if you pay, you may not get your data back, and you may not get your data deleted\r\nby criminals who pinky swear that they will delete it. Then, too, they may pinky swear that they will never attack\r\nyou again or misuse the data they stole from you, but we’ve also seen that happen.\r\nBut if you need another reminder of why not to pay,  the following chat log  contains excerpts from a recent chat\r\ninvolving a victim who paid REvil, who had promised them a decryptor key, support, and a file tree of all the files\r\nREvil had exfiltrated.\r\nAfter you read the excerpts below, ask yourself whether you think  REvil was lying in this interaction when they\r\nclaimed they had exfiltrated data or whether they were lying later when they claimed that they hadn’t exfiltrated\r\ndata.  And if you don’t know what to believe, what would you do if you find yourself in the victim’s situation next\r\nweek?\r\nEither way, REvil inflicted self-injury to their reputation by showing that their word could not be relied upon.\r\nThe initial demand in the incident below was for $50,000. After some negotiations, it was down to $25,000\r\n[…]\r\nVictim: OK, let me talk to my boss and get back to you.\r\nVictim: Just so I’m clear that payment would get us a decryptor for all our encrypted computers?\r\nREvil Support: of course\r\nVictim: OK we are working on getting the money together right now. Did you take any files from our\r\ncomputers? And how fast after we pay could we get the decryption software?\r\nREvil Support: few minutes \r\nVictim: OK thats good to know but my boss still wanted to know about whether or not you guys took\r\nour data before we sent the money.\r\nREvil Support: We took your data \r\nVictim: What did you take?\r\nREvil Support: It will take more than a month to analyze the data. If all you need is a data, leave this\r\nchat. \r\nhttps://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/\r\nPage 1 of 3\n\nVictim: We still want to move forward with payment for the decryptor we are just trying to understand\r\nwhat data was taken because it could impact our customers and we care about them. If you can give us\r\na list of files it would help us a lot. Can you confirm that the bitcoin wallet is still [redacted]? Will you\r\nhelp us if something goes wrong with the decryption?\r\nVictim: We want to make payment today if you can confirm the wallet for us. We don’t want to send it\r\nto the wrong place.\r\nREvil Support: [wallet redacted] yes it is the right adress \r\nVictim: thanks for verifying.\r\nVictim: we are getting ready to make payment. Are you able to provide us a Dir listing of what you\r\nexfil’d?\r\nREvil Support: of course\r\n […]\r\nVictim: OK we sent the 0.77 Bitcoin, please confirm as soon as you get it.\r\nREvil Support: confirm  \r\nREvil Support: yes for all network  \r\nREvil Support: waiting 3 confirmations  \r\nVictim: We are trying to decryption tool now. You said before you would provide us with a directory\r\nlisting of the files you took. Can you send that now?\r\nVictim: We are trying to decrypt systems but you guys changed our domain admin password and we\r\ncan’t get any further without that. Can you tell us what you changed it to?\r\nREvil Support: wait for answer \r\nVictim: Did you find the password? We can’t decrypt some systems without it.\r\nREvil Support: wait for answer \r\nREvil Support: 123456seX \r\nVictim: That worked thank you. We are still decrypting some of the systems. Do you have a directory\r\nlisting of the files you took in the meantime?\r\nREvil Support: We did not take any data from you\r\nSo REvil lied — either when they claimed they had exfiltrated data or when they claimed they hadn’t.\r\nDataBreaches.net reached out to the company that we think may have been the victim, but the only response\r\nreceived so far was an auto response (no pun intended) offering us a great warranty on a car purchase.\r\nhttps://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/\r\nPage 2 of 3\n\nAs a reminder, REvil has previously made clear that they do not give victims any of their data back at all. They\r\nclaim that doing that would violate their privacy policy, but they will give paying victims a file tree showing what\r\nwas allegedly exfiltrated.\r\nOf course, how would a victim know that REvil didn’t just take a screencap of a directory and grab a few files for\r\nproof?  Perhaps victims who are tempted to pay ransom because they fear  that REvil exfiltrated their files should\r\ndemand substantial proof of that claim — more than just a handful of files posted as proof of claim.\r\nSource: https://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/\r\nhttps://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/"
	],
	"report_names": [
		"still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first"
	],
	"threat_actors": [],
	"ts_created_at": 1775701435,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4824db5afb2fdfd0304f7f782657a928d0af4016.pdf",
		"text": "https://archive.orkl.eu/4824db5afb2fdfd0304f7f782657a928d0af4016.txt",
		"img": "https://archive.orkl.eu/4824db5afb2fdfd0304f7f782657a928d0af4016.jpg"
	}
}