Leaked Chats Show a Ransomware Gang Running a Better Help Desk Than Its Victims
Six months of internal chat logs from the Vantablack ransomware group reveal salaried negotiators, performance reviews, and customer satisfaction surveys.
This is synthetic placeholder content. All companies, people, and events in this article are fictional.
Six months of internal chat logs from Vantablack, a ransomware operation believed to have extorted more than $40 million from mid-sized companies, show an organization that looks less like a criminal conspiracy and more like a SaaS startup — complete with salaried negotiators, an employee-of-the-month program, and customer satisfaction surveys sent to victims after they pay.
The logs were provided to Dead Pixel by a security researcher who found them on an unsecured server used by the group, and were verified against known Vantablack ransom notes and cryptocurrency transactions.
”Please rate your decryption experience”
The most surreal artifact in the leak is a post-payment survey. Victims who paid were sent a five-question form asking them to rate the “professionalism” of their negotiator and the speed of file recovery. One internal message celebrates a quarter in which the group’s “decryption success rate” hit 99.1 percent.
The logic is cold but sound: ransomware only works if victims believe paying gets their files back. Reputation is the product.
An org chart for extortion
The logs sketch a clear hierarchy: developers who maintain the malware, “pentesters” who break into networks, negotiators who work the victims, and a manager who settles pay disputes. One negotiator complains about working weekends; the manager responds by approving overtime, paid in cryptocurrency.
There are performance reviews. A junior member is criticized for encrypting a hospital — not for ethical reasons, but because hospitals attract law enforcement attention and “pay badly.”
The defenders’ view
An incident responder who has handled multiple Vantablack cases told Dead Pixel that the leak matches what negotiators see from the outside. “They answer within minutes. They’re polite. They send proof-of-life decryption samples without being asked,” she said. “I’ve had victims tell me, with total sincerity, that the criminals were more responsive than their own IT vendor. That should terrify the industry.”
The group went quiet for nine days after the researcher reported the exposed server. This week, its dark web portal came back online with a new note at the top: “We have improved our operational security. Thank you for your feedback.”