lockbit3.0 Ransomware Negotiation — Redacted Organisation

Hi Lockbit, this is [redacted] and saw the post and may we ask to get the directory listing of all the files that you have. May we ask for more time so we can inform our stakeholders for them to assess and consider our next move? Thank you for understanding.\n

Thank you for your consideration.

Good day, may we negotiate the amount you have in mind and what in turn would be Lockbit\'s end of the bargain.

Dear Lockbit, may we state that last year was the only time we were profitable and we only earned $200k. We have also notified the regulators and our clients as well as required by law since the encryption last January 25 caused a major outage. That said, we were able to restore operation with some backups, albeit with some data loss therefore decryption wont really be necessary. Please give as an amount that we can get back to our leaders to be considered.\n

Thank you for your consideration. 100k is still very steep for us as its half of our revenue which will be negated with the damage caused by the outage. May we respectfully ask to please significantly bring it down since we are only technically be requesting for the deletion of the data and we do understand that this is just business for you.\n

We understand, and we actually had a good year last year since thats the first time we were positive. But this incident wiped it off all away and will be spending more in recovery. Also, the directors are there just for name as a favor and add credibility which by the way is now in shambles, but they dont really contribute, otherwise they would have sent their army of IT to help us recover. I am looking at 10-20K to comeback to the heads and this will be coming from our own personal funds. While there will be some issues on publishing this, as we mentioned, we have already notified the clients and regulators about this breach.

Thank you for your concern and consideration, yes this funds will not be coming from IT. But we only have one owner, as we are a small private company, and he will have to cover everything. We were unsure of the viber message, but here we are. We will come back to you if we can convince him to pay 50k as this is still big for one person.

Ok, let us know. Thank you.\n

Will relay this and come back with a decision tomorrow morning as its 1am here. Do you have a code name or nickname so we know we are talking to the same customer support tomorrow?

Ok, thank you for your patience.

Good day Lockbit, we have met and we have come up with our final offer of 30k. Please do consider that we are only asking for the deletion of the data as we have already notified the regulators and clients about the breach as mandated by law. So this is just to minimize exposure so we can concentrate in the restoration activities. Hoping for you kind consideration.

Let me get back to you.

Hi Lockbit, I\'ve talked to our heads and most of them are against of paying at all. We don\'t know much about your business and the heads are insistent that you would go against your word and sell the data nonetheless. We\'ve been transparent with our regulators and clients and have been working days and nights non-stop for restoration activities. And now, we just want to minimize the damage and hoping for peaceful restoration activities by deleting the data that you have. \n\nThe heads don\'t want to pay at all but I\'ve told them that you value your reputation as you said and have managed to convince them to pay 40k for the destruction of data. Kindly consider this offer.

Thank you for consideration. Do we have a deal at 40k?

I will relay the agreement and will get back to you tomorrow same time. Thank you for your consideration.

Good day, we are now preparing the funds and should be ready by Monday. We need help in converting to bitcoin. Would you be able to point us to how any of your previous clients from the Philippines is able to acquire bitcoins for payment?

Thank you and will check this out.

Good day Lockbit, we are consolidating the funds and should be completed within the week. We have candidates on where to purchase bitcoin locally with minimal paperworks and will be talking to them on Thursday.

Rest assured we are doing our best to process the funds immediately. Thank you for your patience.

Yes, will give update by then. We are really trying to get the money out and buy crypto but it\'s harder when we want less paper trail. This is also the first time we are doing this so thank you for your patience.

Good day Lockbit, we\'re expecting to get the cash out by Saturday or Monday then we can start purchasing the coins next week. Will update you again on Monday\n

Good day Lockbit, \n\nWe have finally acquired the funds and is now in the process of buying bitcoin. We are evaluating possible sources of bitcoins this week without KYC then it might take some time since we have to split the purchase under $8,000 to avoid being flagged. We\'ll give you our wallet address once we start purchasing so you could monitor then we\'ll do an initial test transfer to you after.\n\nWe could send you a picture for proof of our activities with your required instructions if needed. Thank you for understanding.

Thank you for the trust. One of us got a call from an unknown number in Lithuania, please give us time to purchase bitcoins.

We will be splitting the purchase to avoid tripping regulatory limits, so once we have a seller, the estimate time is 2 weeks.

Apologies for the wait. We are doing precautionary measures to minimize our trail of buying bitcoins and paying for the ransom.

We can send you the picture of the cash with a marker you will request as proof. But we can\'t deposit this to a bank and use that account to buy crypto without paper trail. Hope you understand

Yes it was an option before but Binance is banned in the Philippines and can\'t get them from the app stores or create accounts. We are talking to 2 possible sellers. Please be patient, this is the first time we are doing this kind of transaction. We do have good progress.

Good day Lockbit, we already got the crypto this morning. Could we do the transaction within today since the market is going down. Would like to conduct test transfer first before giving the full amount.

Alright, will now start sending test transfer payment of $100.

We would like to mention that we bought 40k USD worth of bitcoin this morning but with the volatility and transaction fees it will be less. Hope this is okay with you as we want to complete the transaction. Rest assured that we will give you all the btc we were able to acquire.

Test transfer of $100 worth of btc has been sent to your btc address and is now PENDING in status. Please confirm once received. Thank you.

The status of the test transfer is now COMPLETED, could you please check on your end?

We would like to split the next transactions in case we make a mistake. We will next transfer 20k usd in btc first and then the rest of the amount. We hope you understand and this is okay with you.

Split transfer of $20k worth of btc has been sent to your btc address and is now PENDING in status. Please confirm once received. Thank you.

Could you help me a bit, may I ask the details of how you got access to our network? Did you exploit our public web app server or phish our users?

Sorry just wanted to clarify does this mean you were able to get glen moyo\'s account through phishing as well?

We are now sending the rest of the payment. Thank you for your response.

Rest of the payment has been sent to your btc address and is now PENDING in status

Thank you and apologies for the questions, on the domain, could you expound a bit as we didn\'t have domain configured yet at the time of the incident.

It\'s alright. Thank you. We\'ll get back on this chat to check in on the deletion as well.

Thank you for this. May I ask another question, we\'ve read from reports that you often use Anydesk in your attacks, can you explain how it is relevant to you?