// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Wabtec Corporation.
The negotiation consisted of 39 messages exchanged over 29 days, beginning on 2022-06-29.
The initial ransom demand was $25.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[Wabtec Corporation] — 29.06.2022 18:55:36 UTC — Message 1/39
[Chat started]
[Wabtec Corporation] — 29.06.2022 18:57:50 UTC — Message 2/39
Hello we are writing you as you ask in your note. How do we get our files back?
[lockbit3.0] — 29.06.2022 18:58:06 UTC — Message 3/39
Hello. Please tell us your company name and confirm you are an official representative of the company.
[Wabtec Corporation] — 29.06.2022 18:58:58 UTC — Message 4/39
We are Wabtech, I am IT mgr with firm. Thank you.
[lockbit3.0] — 29.06.2022 18:59:06 UTC — Message 5/39
You must pay us to get your files back.
[Wabtec Corporation] — 29.06.2022 18:59:59 UTC — Message 6/39
How much are you asking for?
[lockbit3.0] — 29.06.2022 19:00:10 UTC — Message 7/39
$25 million for universal decryptor and destruction of stolen files.
[Wabtec Corporation] — 30.06.2022 12:57:28 UTC — Message 8/39
Hello, we moved to here as you asked.
[Wabtec Corporation] — 30.06.2022 12:58:22 UTC — Message 9/39
You mentioned you took out data, we need to understand that better. Please show us what you have taken so I can take this to the bosses. Thank you.
[lockbit3.0] — 30.06.2022 15:09:56 UTC — Message 10/39
[REDACTED URL]
[lockbit3.0] — 30.06.2022 15:10:03 UTC — Message 11/39
password = 5446731864718376751313472162
[Wabtec Corporation] — 30.06.2022 16:20:41 UTC — Message 12/39
Thank you for this. I will send this to our bosses for review.
[Wabtec Corporation] — 01.07.2022 17:53:31 UTC — Message 13/39
Our team and bosses are reviewing your large list. How much data is that? Also, would you kindly let us pick some files our of your list to ask for so we know you do indded have our data? Thank you.
[lockbit3.0] — 01.07.2022 19:47:51 UTC — Message 14/39
About 2 TB. Yes.
[Wabtec Corporation] — 02.07.2022 20:06:46 UTC — Message 15/39
Hello, can we please receive these files back from you?
[Wabtec Corporation] — 02.07.2022 20:07:00 UTC — Message 16/39
F:\wabtec\files\WCSSRV0453_Commercial_Functions\Commercial Functions\Marketing\Marketing Effectiveness\Training Conferences\What a Declining Business Media Means to CEOs.pdf F:\wabtec\files\CommercialKnowledgePortal\Commercial Knowledge Portal\Competitor Intelligence\CI at Tradeshows\2010 InnoTrans\InnoTrans 2010 Photos\Voith\Gravita Switcher\DSC01672.jpg F:\wabtec\files\CRDSRV0008_Documentation_and_Manuals\Documentation and Manuals\Vishay Strain Gauge Manuals\Vishay Micro Measurements\Vishay M-Line Accessories.pdf F:\wabtec\files\wcssrv036_RCV_Public_Drive\RCV_Public_Drive\SAFETY\Carson\Incident -Injury Forms\WGS SAFETY ALERT NOTICE TEMPLATE.docx F:\wabtec\files\LPZSRV0014_Technologie\Technologie\ToPs_Daten\Dokumente\LASER\DATEN\5185766_1.pdf F:\wabtec\files\VCISRV0028_Project_Engineering\Project Engineering\Engineering Administration\Policies, Procedures and Guidelines\Travel Policy\Wabtec Travel and Entertainment Policy - Final_2019-11-01.pdf F:\wabtec\files\WCTSRV0018\g\PLM\WTDSRV0014\projects\DenverP3_CP\1-56468_SLDPRT\D\whereused.pdmw F:\wabtec\files\WCMSRV0006_Pre-stagedData\Pre-stagedData\Completed Projects\QJHO01001-JohnHolland-Certification of Points\E - Engineering\E2 - Deliverables\CMC - Turnout Certification\Checksheets\03.05.2018 F:\wabtec\files\Departments_hr\HR\BENEFITS\WELLNESS 2016\Wabtec Online Store Flyer.docx F:\wabtec\Manufacturing\CAR projects\Wabtec QIP Assessment Info Request.xlsx F:\wabtec\files\WTDSRV0030_Materials\Materials\Packing Slips OSWH\2022\May 2022\5-23-22.pdf F:\wabtec\files\Finance1\turbo_LP\fixed assets\TNX\Tooling\50311 Balancing tool.pdf F:\wabtec\files\BSLSRV0001_Customer_Files\Customer Files\1. Customer Information\Siemens Mobility\2021\Purchase Orders\PO 4509763478, SO-0014037, 49364-14, 2021-12-14\Buy America Certificate_Rev.1 (PO 4509763478) - Signed Dec. 22, 2021.pdf F:\wabtec\files\WBJSRV0002_Accounting\Accounting\ABNER\ateixeira\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH5IQIL6\597D3FCACB12FBFAC9CEBBAFF93D[1].jpg
[Wabtec Corporation] — 02.07.2022 20:07:17 UTC — Message 17/39
14 total please.
[lockbit3.0] — 03.07.2022 04:20:47 UTC — Message 18/39
[REDACTED URL]
[lockbit3.0] — 03.07.2022 04:20:57 UTC — Message 19/39
password = 5446731864718376751313472162
[Wabtec Corporation] — 03.07.2022 15:43:13 UTC — Message 20/39
Thank you for this. Sending to the bosses for review, be back in touch.
[Wabtec Corporation] — 04.07.2022 18:49:32 UTC — Message 21/39
Hello, can you please decrypt these files so we know your key works per your message on this site?
[Wabtec Corporation] — 04.07.2022 18:49:59 UTC — Message 22/39
File: [registry.xml.lockbit]
[lockbit3.0] — 04.07.2022 19:21:38 UTC — Message 23/39
File: [registry.7z]
[Wabtec Corporation] — 05.07.2022 19:32:11 UTC — Message 24/39
Thank you. So if we were considering payment, would we get 1. Working decryptor tool 2. Our data back or deleted 3. Guarantee to not publish it or leak it on dark web 4. Tell us how you got into our network? Please let us know.
[lockbit3.0] — 05.07.2022 19:34:46 UTC — Message 25/39
1 yes 2 yes 3 yes 4 no
[Wabtec Corporation] — 06.07.2022 20:28:50 UTC — Message 26/39
Ok, letting bosses know the above. We are still reviewing the data dump due to size, and will be talking to the bank to see how much funds we would be avle to come up with. Be back in touch.
[Wabtec Corporation] — 08.07.2022 14:36:56 UTC — Message 27/39
Hello, is this all of the data you have taken from us, in your file listing? Can you please let us know. Thank you.
[lockbit3.0] — 08.07.2022 16:07:24 UTC — Message 28/39
Yes
[Wabtec Corporation] — 09.07.2022 12:40:46 UTC — Message 29/39
Ok, that is good for us to know. We will be trying to come up with as many funds as we can and are circling up with the bank when they open after the weekend. How do we get BTC? Thanks.
[lockbit3.0] — 09.07.2022 15:01:24 UTC — Message 30/39
You can use crypto exchanges to get btc.
[lockbit3.0] — 12.07.2022 17:57:34 UTC — Message 31/39
So? Weekend ended long time ago. Are you ready to pay?
[Wabtec Corporation] — 12.07.2022 21:16:22 UTC — Message 32/39
Hello we are engaged with the bank, the logistics are going to take a little bit of time. This is not something we are used to deal with. We need some more time please.
[lockbit3.0] — 13.07.2022 11:29:20 UTC — Message 33/39
You must hurry up. We're not going to wait you forever. We'll have to raise the price by friday if we won't receive full payment by tomorrow evening.
[Wabtec Corporation] — 14.07.2022 01:44:35 UTC — Message 34/39
Hello our bosses and executive team are in contact with the bank about logistics and how much we can get, this is not something they normally do so the logistics are hard and take some time. We cannot make this happen by Friday, we are asking for more time, next week please. We are talking to you in good faith and thank you for your help so far.
[lockbit3.0] — 14.07.2022 07:24:03 UTC — Message 35/39
You already have spent 3 weeks. It's more than enough to check your balance and obtain cryptocurrency. The price will be raised to 30M from tomorrow.
[lockbit3.0] — 22.07.2022 12:39:57 UTC — Message 36/39
Hello. Another week passed. Should we wait for payment or we may proceed to the publication of your files?
[lockbit3.0] — 24.07.2022 16:17:29 UTC — Message 37/39
Are you there?
[lockbit3.0] — 25.07.2022 11:01:05 UTC — Message 38/39
???
[lockbit3.0] — 28.07.2022 10:04:33 UTC — Message 39/39
wtf?