// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Colonial General

25Messages
1 dayDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Colonial General. The negotiation consisted of 25 messages exchanged over 1 day, beginning on 2022-11-23.

The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Colonial General] — 23.11.2022 19:43:52 UTC — Message 1/25
[Chat started]
[Colonial General] — 23.11.2022 19:45:33 UTC — Message 2/25
Good day. I need assistance with decryption of files. Can you confirm the process please?
[Colonial General] — 23.11.2022 19:56:44 UTC — Message 3/25
Are you there?
[lockbit3.0] — 23.11.2022 20:07:12 UTC — Message 4/25
hi
[lockbit3.0] — 23.11.2022 20:07:37 UTC — Message 5/25
to decrypt the data and avoid publication you need to pay us. we haven't published your name on our blog yet
[Colonial General] — 23.11.2022 20:07:59 UTC — Message 6/25
what is the fee for the decryption ?
[lockbit3.0] — 23.11.2022 20:09:21 UTC — Message 7/25
120k$
[lockbit3.0] — 23.11.2022 20:09:51 UTC — Message 8/25
we will soon send you a tree of stolen data
[Colonial General] — 23.11.2022 20:09:54 UTC — Message 9/25
USD?
[lockbit3.0] — 23.11.2022 20:10:02 UTC — Message 10/25
yes
[Colonial General] — 23.11.2022 20:10:10 UTC — Message 11/25
USD?
[lockbit3.0] — 23.11.2022 20:10:27 UTC — Message 12/25
yes!
[lockbit3.0] — 23.11.2022 20:10:44 UTC — Message 13/25
we stolen 85gb
[Colonial General] — 23.11.2022 20:10:45 UTC — Message 14/25
Are you willing to drop the price of 120k?
[lockbit3.0] — 23.11.2022 20:11:06 UTC — Message 15/25
no
[Colonial General] — 23.11.2022 20:11:41 UTC — Message 16/25
can you send me the tree of stolen data so that I can confirm this data is ours?
[Colonial General] — 23.11.2022 20:12:13 UTC — Message 17/25
Also, how doI get the funding to you
[lockbit3.0] — 23.11.2022 20:12:36 UTC — Message 18/25
Yes, we'll send it soon.
[Colonial General] — 23.11.2022 20:12:57 UTC — Message 19/25
You are sending in the chat window or to an email address?
[lockbit3.0] — 23.11.2022 20:14:38 UTC — Message 20/25
I'll send you a link to our file sharing service
[Colonial General] — 23.11.2022 20:14:53 UTC — Message 21/25
ok
[lockbit3.0] — 23.11.2022 20:23:15 UTC — Message 22/25
[REDACTED URL]
[Colonial General] — 23.11.2022 20:32:12 UTC — Message 23/25
I have to get the other personal id as these are not the files we were expecting
[Colonial General] — 23.11.2022 20:32:58 UTC — Message 24/25
There is another machine from this breach that I would like the data for. I need a moment to get that personal ID file
[lockbit3.0] — 23.11.2022 20:37:01 UTC — Message 25/25
If you don't pay, the files from the tree will be published. we don't care how you feel about them
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →