// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — CHSF (Centre Hospitalier Sud Francilien)

42Messages
14 daysDuration
$1.0MInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with CHSF (Centre Hospitalier Sud Francilien). The negotiation consisted of 42 messages exchanged over 14 days, beginning on 2022-08-24.

The initial ransom demand was $1.0M. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[CHSF (Centre Hospitalier Sud Francilien)] — 24.08.2022 09:17:17 UTC — Message 1/42
[Chat started]
[CHSF (Centre Hospitalier Sud Francilien)] — 24.08.2022 15:20:27 UTC — Message 2/42
Bonjour, nous prenons sérieusement en compte votre attaque sur notre établissement. Qui êtes vous? et qu'est-ce que voulez vraiment à faire ce que vous faites?
[lockbit3.0] — 25.08.2022 01:49:32 UTC — Message 3/42
Welcome. Your Servers have been encrypted by us. To decipher and restore the functionality of your network, you have to pay us $1,000,000 in Bitcoin. Additionally I inform you that we have about a million files from your servers concerning your patients. As well as contracts with partners and confidential agreements. Medical histories, doctor's appointments, prescriptions, ultrasound images, and personal data. In the event that you do not pay the ransom, this data will be published in our public blog. The amount of $ 1,000,000 is not big for your company. We did not put a high price, because we respect health care. We offer to solve everything quickly and without too much noise. You pay, we give you a decryptor and destroy your data from our servers
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 07:17:23 UTC — Message 4/42
Savez-vous réellement qui vous avez attaqué? et les conséquences actuelles et futures que cela peut avoir pour nous, pour les personnes de notre établissement, pour vous? Nous vous demandons de nous donner maintenant les clefs de déchiffrement s'il vous plait et de stopper votre attaque inhumaine.
[lockbit3.0] — 25.08.2022 07:48:13 UTC — Message 5/42
We know you're a commercial company. Which makes money. Your company's revenue is over seven hundred million dollars. You can stop the attack and be calm by paying just one million dollars. In case of refusal, we will take further pressure steps. We will contact your partners. Let's lay out some of the data about your patients. Info about covid vaccination. Covid passports. And the price can be increased.
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 11:24:55 UTC — Message 6/42
Je suis surpris de voir que vous ne savez pas du tout qui nous sommes réellement! Nous sommes un hôpital public. Avec tout ce que cela entraîne comme pauvres moyens; financiers, matériels et en personnels. Je vous laisse en juger par vous-même avec les liens ci-dessous et je vous demande encore une fois de stopper votre attaque meurtrière s'il vous plait, en nous donnant maintenant les clefs de déchiffrement. Merci
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 11:25:19 UTC — Message 7/42
[REDACTED URL]
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 11:25:30 UTC — Message 8/42
[REDACTED URL]
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 11:26:02 UTC — Message 9/42
[REDACTED URL]
[lockbit3.0] — 25.08.2022 12:24:05 UTC — Message 10/42
[REDACTED URL]
[lockbit3.0] — 25.08.2022 12:26:12 UTC — Message 11/42
You already losemore then 50ml revenue. You have only one way. Pay us fast to stop this. Or price can be increased.
[lockbit3.0] — 25.08.2022 12:54:06 UTC — Message 12/42
We strongly advise you to complete your transaction with us as soon as possible. As soon as we receive payment we will immediately give you a decryptor. And the attack will be stopped. And the details of your partners and clients will not be made public. That's the only way. Nothing personal. Simple business.
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 16:41:48 UTC — Message 13/42
Je pense que vous savez, avec ce que vous détenez et que vous comprenez que c'est impossible pour nous de payer la somme demandée. ET je ne comprends pas votre comportement, où sont donc passées vos valeurs? votre éthique?
[CHSF (Centre Hospitalier Sud Francilien)] — 25.08.2022 16:43:11 UTC — Message 14/42
[REDACTED URL]
[lockbit3.0] — 25.08.2022 17:50:07 UTC — Message 15/42
Je pense que vous savez, avec ce que vous détenez et que vous comprenez que c'est impossible pour nous de payer la somme demandée >>> Find the way to solve this problem. Every day you lose your money clients and reputation. That is why to solve this problem in your best interest je ne comprends pas votre comportement, où sont donc passées vos valeurs? votre éthique? >>>You get the money from your clients you do not anythink FREE! Now you face with our world reality. Next time pay attention your internet security
[lockbit3.0] — 26.08.2022 07:24:14 UTC — Message 16/42
Since we do not yet see from you an adequate attitude to the situation and readiness to pay. We will begin to prepare letters for your clients and partners. And also we will begin to prepare a public blog for your company. We have a lot of your interesting date. Including also correspondence from mail servers. We give you time until 30.08 inclusive. In order to settle everything quickly and quietly. If by this time we don't start talking about payment. Then we will be forced to act further.
[lockbit3.0] — 26.08.2022 07:40:28 UTC — Message 17/42
fr.jpg 0.97MB
[lockbit3.0] — 26.08.2022 07:41:12 UTC — Message 18/42
Just look at this. Its only for u. For exemple.
[CHSF (Centre Hospitalier Sud Francilien)] — 26.08.2022 13:51:27 UTC — Message 19/42
Donc en résumé, si je comprends bien, tout ce que vous voulez c'est votre argent? Même si cela peut entraîner la mort de patients de notre établissement?
[lockbit3.0] — 26.08.2022 14:30:48 UTC — Message 20/42
We know your situation no one of your pacient will not die, all what you want to restore your data and do not have data leak you have to pay money for this
[lockbit3.0] — 26.08.2022 14:36:36 UTC — Message 21/42
Looking at our communication,we conclude that we are reaching a dead end. If we do not come to agreement to wensday we start making a public blog with your stolen data
[CHSF (Centre Hospitalier Sud Francilien)] — 27.08.2022 07:12:24 UTC — Message 22/42
Ok nous comprenons votre volonté et nous souhaitons coopérer pour que tout se passe bien pour nous. Nous avons essayé de vous transmettre des fichiers sur votre site mais ils sont trop lourd.
[CHSF (Centre Hospitalier Sud Francilien)] — 27.08.2022 07:12:53 UTC — Message 23/42
Votre attaque a directement atteint nos outils de virtualisations. Je ne peux pas vous envoyer de fichier. Les seuls fichiers que nous avons dépassent les 50 kb. Dans quelle mesure vous pouvez nous décrypter un fichier vmdk pour preuve que vous êtes en mesure de nous aider? De plus nous n'avons pas accès aux données de nos NAS.
[CHSF (Centre Hospitalier Sud Francilien)] — 27.08.2022 07:13:31 UTC — Message 24/42
[REDACTED URL]
[lockbit3.0] — 27.08.2022 08:37:14 UTC — Message 25/42
Welcome. To decrypt this file, we will need to wait for a technician. Decoding of small files is possible in automatic mode. Try to find a file of the desired size on your NAS. You should definitely have them there. After payment, you get a decryptor for all your files. Including your NAS and your virtual machines. We all want this case to end quickly and quietly. You can also find out information about us on the Internet. The companies we work with always get what they pay for.
[lockbit3.0] — 27.08.2022 15:41:06 UTC — Message 26/42
[REDACTED URL]
[lockbit3.0] — 27.08.2022 15:41:24 UTC — Message 27/42
Btw if you will not pay 1 000 000 usd till 30.08 the price will be 10 000 000 usd as in your public statement
[lockbit3.0] — 27.08.2022 17:17:41 UTC — Message 28/42
bc1qwwym65pfw864lmt9e6v3f5hv08p4v4yqp49fsn you have to pay test payment to this btc adress
[lockbit3.0] — 27.08.2022 17:18:16 UTC — Message 29/42
1 $
[CHSF (Centre Hospitalier Sud Francilien)] — 27.08.2022 18:18:44 UTC — Message 30/42
Ok nous comprenons, nous souhaitons également que cela soit vite terminé. Nous vous remercions d'avoir compris notre situation et nous validons la transaction comme vous l'avez écrit ci-dessus pour 1$ et selon les modalités expliquées.
[CHSF (Centre Hospitalier Sud Francilien)] — 30.08.2022 07:37:59 UTC — Message 31/42
Bonjour. Le délai approchant, nous nous permettons de vous relancer pour savoir où nous en sommes de nos échanges ?
[lockbit3.0] — 30.08.2022 07:41:11 UTC — Message 32/42
Hello. Yes, your time comming to the end. Are you ready to pay?
[lockbit3.0] — 30.08.2022 08:04:09 UTC — Message 33/42
We expect you to pay $1,000,000 in Bitcoin (49 BTC) to the address above. After payment, you will receive a decryptor for all your files and virtual machines. We will also delete all information about customers and partners stolen from you from our servers after payment. Right now you have to make a test payment 1$ after that you need write us.
[lockbit3.0] — 30.08.2022 08:04:31 UTC — Message 34/42
bc1qwwym65pfw864lmt9e6v3f5hv08p4v4yqp49fsn
[lockbit3.0] — 30.08.2022 08:05:03 UTC — Message 35/42
BTC adress
[CHSF (Centre Hospitalier Sud Francilien)] — 31.08.2022 21:30:16 UTC — Message 36/42
Bonjour, ok nous sommes d'accord pour tout cela. Cependant nous serions rassurés, n'ayant pas eu de vos nouvelles pendant plusieurs jours, si vous pouviez nous apporter la preuve de vos capacités à nous aider. Cela m'aiderait à convaincre ma direction pour procéder à la suite.
[CHSF (Centre Hospitalier Sud Francilien)] — 31.08.2022 21:30:55 UTC — Message 37/42
[REDACTED URL]
[lockbit3.0] — 01.09.2022 09:58:06 UTC — Message 38/42
Ok, wait.
[lockbit3.0] — 01.09.2022 17:20:44 UTC — Message 39/42
1661980198_CHSFVW050-ctk.7z 1.02kB
[lockbit3.0] — 02.09.2022 04:43:24 UTC — Message 40/42
Welcome. During this time, we did not see any test or main payment from you. We have provided you with all the evidence that we can and are ready to help you. You received the file. Talk to your boss. We need specific deadlines for receiving payments from you. In case you do not set us a deadline we will start making public blogs with your date. We will also continue to attack your clinic. It's all dragging on for too long. Our boss is not happy with this situation. If you do not solve it in the near future you will feel serious consequences.
[lockbit3.0] — 07.09.2022 13:41:50 UTC — Message 41/42
[REDACTED URL]
[lockbit3.0] — 07.09.2022 13:42:15 UTC — Message 42/42
Now this blog is available for viewing only for you! If you do not give an answer on the exact date of payment of the ransom, we will start mailing as well as calls to all partners, patients and employees, then the blog will become public.
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →