// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Plastic Products Company.
The negotiation consisted of 28 messages exchanged over 15 days, beginning on 2023-03-05.
The initial ransom demand was $6.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Plastic Products Company] — 05.03.2023 04:03:11 UTC — Message 1/28
[Chat started]
[Plastic Products Company] — 05.03.2023 04:14:18 UTC — Message 2/28
Hello. I've never done this so I'm sorry if I don't have all the information you need up front. But the ransom note said I'm supposed to contact you.
[lockbit3.0] — 05.03.2023 08:56:48 UTC — Message 3/28
Hello, you need pay.
[Plastic Products Company] — 05.03.2023 13:52:11 UTC — Message 4/28
I've never used bitcoin before so I'm following tutorials to get it set up. I'm doing my best.
[lockbit3.0] — 05.03.2023 13:58:42 UTC — Message 5/28
Also we downloaded a lot of information from you.And so far we haven't published anything.There is no mention of an attack.
[lockbit3.0] — 05.03.2023 14:06:30 UTC — Message 6/28
You need to pay 6000000$
[Plastic Products Company] — 05.03.2023 15:01:53 UTC — Message 7/28
Oh wow, I don't know if we have that much money available. Can I see the information you took?
[lockbit3.0] — 05.03.2023 15:04:07 UTC — Message 8/28
Ok.wait
[lockbit3.0] — 05.03.2023 16:39:04 UTC — Message 9/28
[REDACTED URL]
[Plastic Products Company] — 05.03.2023 17:26:46 UTC — Message 10/28
Thank you. I'm getting a file to prove decryption works.
[lockbit3.0] — 05.03.2023 17:30:33 UTC — Message 11/28
ok
[lockbit3.0] — 06.03.2023 10:30:09 UTC — Message 12/28
The first time we sent you an incomplete tree. In the next message there is a link to the full tree
[lockbit3.0] — 06.03.2023 10:30:21 UTC — Message 13/28
Download link: [REDACTED URL]
[lockbit3.0] — 06.03.2023 10:30:31 UTC — Message 14/28
Password: Ak%xTarylM0r*jV7$qWdGs3$T
[Plastic Products Company] — 06.03.2023 18:49:48 UTC — Message 15/28
Thank you
[lockbit3.0] — 06.03.2023 20:51:00 UTC — Message 16/28
Use the test decryptor to verify the decryption. Use it correctly. Take the file from the pc with the ID of which you logged into the chat
[Plastic Products Company] — 06.03.2023 20:53:54 UTC — Message 17/28
Ok my boss is concerned since there's no way to tell what file we're decrypting that you could just send us some fake file back and claim the decryption worked.
[lockbit3.0] — 06.03.2023 20:58:47 UTC — Message 18/28
You know your network, your data, how is it that you can't tell? Besides, the test decryptor works in automatic mode, without my involvement
[lockbit3.0] — 08.03.2023 22:17:44 UTC — Message 19/28
when wiil you pay?
[Plastic Products Company] — 09.03.2023 20:52:13 UTC — Message 20/28
My engineers are working on finding a small enough file that they'll be able to confirm decryption for. I'm also working with my leadership on the financial side. We're doing our best but $6M is a lot of money.
[lockbit3.0] — 09.03.2023 22:53:49 UTC — Message 21/28
It's a small amount of your revenue. You can afford it. If you need time to prepare the amount, we'll give it to you, but you have to set a deadline. Our reputation and our name speaks for us, we can send you any number of files from the tree we sent you. And we can decrypt all the files we encrypted. And after payment, you'll get information about how we penetrated your network.
[Plastic Products Company] — 11.03.2023 02:31:24 UTC — Message 22/28
We found a file that we should be able to confirm the content with that match your requirements. I'm just waiting for the engineer to send it to me. I'll have an update from my leadership for you soon as well.
[lockbit3.0] — 11.03.2023 06:32:35 UTC — Message 23/28
ok
[lockbit3.0] — 13.03.2023 17:10:20 UTC — Message 24/28
You are very slow. Your name will now appear on the blog
[lockbit3.0] — 13.03.2023 17:13:45 UTC — Message 25/28
[REDACTED URL]
[Plastic Products Company] — 13.03.2023 17:46:19 UTC — Message 26/28
I'm sorry I'm doing my best. My leadership is working with lawyers and all of that is extremely slow.
[lockbit3.0] — 13.03.2023 17:47:50 UTC — Message 27/28
Now you will try to negotiate faster. After all, the timer is running. More than a week has been wasted
[lockbit3.0] — 20.03.2023 11:34:07 UTC — Message 28/28
when will you pay?