// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Bank BSI

27Messages
7 daysDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Bank BSI. The negotiation consisted of 27 messages exchanged over 7 days, beginning on 2023-05-08.

The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Bank BSI] — 08.05.2023 03:34:30 UTC — Message 1/27
[Chat started]
[Bank BSI] — 08.05.2023 03:35:18 UTC — Message 2/27
give me proof that you have comptomised us
[lockbit3.0] — 08.05.2023 03:41:23 UTC — Message 3/27
Hello.
[lockbit3.0] — 08.05.2023 03:42:40 UTC — Message 4/27
We have about a terabyte and a half of your customer data
[Bank BSI] — 08.05.2023 03:43:31 UTC — Message 5/27
ok how do we know that
[lockbit3.0] — 08.05.2023 03:44:14 UTC — Message 6/27
We can provide you file tree of stolen data
[Bank BSI] — 08.05.2023 03:44:38 UTC — Message 7/27
let me see that
[lockbit3.0] — 08.05.2023 03:45:00 UTC — Message 8/27
You choose any two files of no more than a megabyte from the ones we stole and we can give them to you.
[Bank BSI] — 08.05.2023 03:49:03 UTC — Message 9/27
you dont even know who's data you have stolen
[Bank BSI] — 08.05.2023 03:50:43 UTC — Message 10/27
show me that customer data you think you hv stole it
[lockbit3.0] — 08.05.2023 03:52:55 UTC — Message 11/27
File: [banksbitree.zip]
[lockbit3.0] — 08.05.2023 03:56:54 UTC — Message 12/27
File: [proofs.zip]
[lockbit3.0] — 08.05.2023 03:57:35 UTC — Message 13/27
BSMCOLLECTION Database (check your last backup from it) - a lot of customers data Some interesting from SPM-HESTU - a lot of customers data Medalion Some from Swift
[Bank BSI] — 13.05.2023 02:18:44 UTC — Message 14/27
what price do you want?
[lockbit3.0] — 13.05.2023 09:13:13 UTC — Message 15/27
It depends on your greed, what can the largest bank in the country with multibillion-dollar revenues offer me for a quality pentest of your corporate network?
[Bank BSI] — 13.05.2023 09:56:28 UTC — Message 16/27
It looks like you want big things, if that's the case, we'll confirm with other things, do you have a stolen username, password, like a pin or something else?
[lockbit3.0] — 13.05.2023 13:29:28 UTC — Message 17/27
You will find out about this after all the stolen data is published, in case you do not want to pay for a quality pentest of your corporate network.
[Bank BSI] — 13.05.2023 14:27:05 UTC — Message 18/27
ok, can I buy for 100,000 USD? you like?
[lockbit3.0] — 13.05.2023 15:31:53 UTC — Message 19/27
20 000 000 $
[Bank BSI] — 13.05.2023 15:55:53 UTC — Message 20/27
why is it so big, at least give us 1 sample username and password you stole we will take it at 10,000,000 dollars
[lockbit3.0] — 13.05.2023 16:09:30 UTC — Message 21/27
Your competitors and scammers will be looking for logins and passwords in the databases after the data is published.
[Bank BSI] — 13.05.2023 16:10:14 UTC — Message 22/27
So is there anyone else who wants to buy it?
[lockbit3.0] — 13.05.2023 16:11:55 UTC — Message 23/27
We will not disclose this information.
[lockbit3.0] — 13.05.2023 21:31:41 UTC — Message 24/27
An example of a login to the Internet banking.
[lockbit3.0] — 13.05.2023 21:31:50 UTC — Message 25/27
202194016611 20Darkstar94!
[lockbit3.0] — 13.05.2023 21:32:16 UTC — Message 26/27
Would you be more comfortable paying in bitcoin or monero?
[lockbit3.0] — 15.05.2023 16:37:37 UTC — Message 27/27
Be a man, promise - do it.
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →