// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Nicklaus Children's Hospital.
The negotiation consisted of 43 messages exchanged over 23 days, beginning on 2023-01-17.
The initial ransom demand was $7.0M. The victim refused to pay.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Nicklaus Children's Hospital] — 17.01.2023 16:11:13 UTC — Message 1/43
[Chat started]
[Nicklaus Children's Hospital] — 17.01.2023 16:13:32 UTC — Message 2/43
Hi.
[Nicklaus Children's Hospital] — 17.01.2023 21:21:03 UTC — Message 3/43
Hello, I'm wondering if anyone is available to assist? Thanks.
[lockbit3.0] — 17.01.2023 21:44:17 UTC — Message 4/43
Hello
[lockbit3.0] — 17.01.2023 21:51:04 UTC — Message 5/43
How I can help you?
[Nicklaus Children's Hospital] — 18.01.2023 15:54:19 UTC — Message 6/43
Hi, my company's computer network was affected by a virus. There was a note that instructed we reach out to you. I was asked by my employer to find out from you if you have taken any data from our systems? And anything you can share about next steps would be helpful. Thank you.
[lockbit3.0] — 18.01.2023 17:54:55 UTC — Message 7/43
You pay - we decrypt your network.
[Nicklaus Children's Hospital] — 18.01.2023 20:27:01 UTC — Message 8/43
"Your data are stolen and encrypted" -- is this not the case?
[lockbit3.0] — 18.01.2023 20:51:50 UTC — Message 9/43
You pay - we decrypt your network and delete your data.
[Nicklaus Children's Hospital] — 18.01.2023 22:09:06 UTC — Message 10/43
Do you have a list of the data?
[lockbit3.0] — 19.01.2023 08:23:23 UTC — Message 11/43
You will receive a complete list of the stolen data only after you pay the ransom.
[lockbit3.0] — 19.01.2023 08:23:42 UTC — Message 12/43
File: [07-15-22 master control - brands 1099.pdf]
[lockbit3.0] — 19.01.2023 08:23:46 UTC — Message 13/43
File: [10-30-22 stat summary - gbi svc 1099.pdf]
[lockbit3.0] — 19.01.2023 08:23:51 UTC — Message 14/43
File: [12-30-22c checks - jj.pdf]
[lockbit3.0] — 19.01.2023 08:26:14 UTC — Message 15/43
File: [2021 K-1 - JWNII Living Tr - Nicklaus DC Invest.pdf]
[lockbit3.0] — 19.01.2023 08:29:03 UTC — Message 16/43
File: [Jim Schnare with Passport.jpg]
[Nicklaus Children's Hospital] — 19.01.2023 13:55:58 UTC — Message 17/43
Ok, thank you. What/how do we pay you?
[lockbit3.0] — 19.01.2023 15:10:50 UTC — Message 18/43
$7,000,000 in bitcoin, or $6,900,000 in monero
[Nicklaus Children's Hospital] — 19.01.2023 15:19:07 UTC — Message 19/43
You're asking for 7 million dollars for this?
[lockbit3.0] — 19.01.2023 15:26:50 UTC — Message 20/43
You are a very famous brand, it is a very good price not to ruin the reputation of the Golden Bear, why your director at 82 years old hundreds of millions of dollars? he will not have time to spend them the rest of his life anyway, so 7 million dollars is a very fair price so that no one will ever know about our attack.
[Nicklaus Children's Hospital] — 21.01.2023 11:05:02 UTC — Message 21/43
Good morning. I have passed on your messages to my bosses. They will be discussing with the board this weekend or early next weekend. I will get back to you then. Thanks.
[lockbit3.0] — 21.01.2023 13:19:50 UTC — Message 22/43
Ok.
[Nicklaus Children's Hospital] — 23.01.2023 15:10:15 UTC — Message 23/43
Hello. It looks like my bosses have some meetings scheduled for today to discuss this. They are asking how many files you took from our systems?
[lockbit3.0] — 23.01.2023 15:15:47 UTC — Message 24/43
You will receive a complete list of the stolen data only after you pay the ransom.
[Nicklaus Children's Hospital] — 23.01.2023 15:34:28 UTC — Message 25/43
Do you have the total size you can share with me? I'd like to give my bosses some information that may be helpful in making their decision. Thanks.
[lockbit3.0] — 23.01.2023 15:40:25 UTC — Message 26/43
More than 200 gigabytes of data.
[Nicklaus Children's Hospital] — 24.01.2023 15:24:48 UTC — Message 27/43
Good morning. My bosses have meetings with partners this morning. Once I have some information, I will let you know. Thanks.
[lockbit3.0] — 24.01.2023 15:56:31 UTC — Message 28/43
Ok.
[Nicklaus Children's Hospital] — 26.01.2023 14:01:07 UTC — Message 29/43
Hello, sorry for the delay. I've been following up with my bosses for some updated information. At this point, I've been told that we don't have anywhere close to 7 million dollars. My bosses are asking what you will do with the data after we pay? Thanks.
[lockbit3.0] — 26.01.2023 16:53:54 UTC — Message 30/43
Advise your bosses not to be greedy, we know you have money, we own your documents, the richest people on the planet play in your clubs and nothing is more important than your reputation. In case you can overcome the greed of your bosses we will permanently delete all the stolen information and this chat room, no one will ever know about our attack on your company.
[lockbit3.0] — 02.02.2023 19:32:23 UTC — Message 31/43
You need pay.
[Nicklaus Children's Hospital] — 06.02.2023 16:39:10 UTC — Message 32/43
Hello. Sorry for the delay. I have been talking to my bosses to get to a resolution.
[Nicklaus Children's Hospital] — 06.02.2023 16:58:29 UTC — Message 33/43
My bosses wants me to communicate some things to you sir. Your ask for 7 million is much too high and we cannot pay this. Most of the reputation damage is already done to us just by the fact that you came into our network and took our data. The non-publication of the data is a very small part of the total damage. Our lawyers have forced us to notify our employees and customers of the breach and we already lost some business relationships as a result. We also do not have the funds to support the asking price anyway because we are spending a lot of money recovering from the breach.
[Nicklaus Children's Hospital] — 06.02.2023 16:58:41 UTC — Message 34/43
To honor our stakeholders, we are willing to pay you something — not 7 mil. Can you please consider a lower amount. Thanks.
[lockbit3.0] — 06.02.2023 17:22:04 UTC — Message 35/43
Make your offer.
[Nicklaus Children's Hospital] — 06.02.2023 19:50:09 UTC — Message 36/43
I have a meeting in 1 hour with my bosses and lawyers and will get back to you right after.
[Nicklaus Children's Hospital] — 06.02.2023 21:25:36 UTC — Message 37/43
My bosses said a reporter reached out and told them that our data is already published?
[lockbit3.0] — 07.02.2023 03:20:42 UTC — Message 38/43
[REDACTED URL]
[lockbit3.0] — 07.02.2023 03:33:09 UTC — Message 39/43
At the moment only your company name is published, but very soon all of your information will be published if you do not pay, you have little time left. Only 48 hours to pay.
[Nicklaus Children's Hospital] — 07.02.2023 13:18:01 UTC — Message 40/43
Ah ok. Only 48 hours? I thought it said Feb 21?
[lockbit3.0] — 07.02.2023 16:21:54 UTC — Message 41/43
[Chat started] 17.01.2023 16:11:13 UTC
[lockbit3.0] — 07.02.2023 16:22:41 UTC — Message 42/43
I just want to let you know that the data is ready to be published and the decryptor is ready to be deleted. You have had plenty of time to make your decision, your time is up.
[lockbit3.0] — 09.02.2023 12:42:51 UTC — Message 43/43
Do you have any offer for me?