// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Continental

37Messages
41 daysDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Continental. The negotiation consisted of 37 messages exchanged over 41 days, beginning on 2022-09-23.

The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Continental] — 23.09.2022 13:26:56 UTC — Message 1/37
[Chat started]
[Continental] — 23.09.2022 13:28:45 UTC — Message 2/37
Hello, Thank you for providing the links and ID to this chat. What proof can you give us that you have any of our data?
[lockbit3.0] — 23.09.2022 13:41:23 UTC — Message 3/37
We have a lot of your files
[lockbit3.0] — 23.09.2022 13:41:26 UTC — Message 4/37
Hello
[lockbit3.0] — 23.09.2022 13:41:44 UTC — Message 5/37
What proof do you want?
[Continental] — 23.09.2022 14:55:24 UTC — Message 6/37
Please give us a full file list of data that you say you are holding, and we can chose samples of files from list for you to give us as proof.
[lockbit3.0] — 23.09.2022 15:43:19 UTC — Message 7/37
Ok wait
[lockbit3.0] — 23.09.2022 15:44:25 UTC — Message 8/37
Full file list size is over 8GB. we may provide you a partial listing.
[lockbit3.0] — 23.09.2022 15:48:59 UTC — Message 9/37
Alright, finally uploading. Archiving significantly reduced the size. But I wonder how you will open it.
[lockbit3.0] — 23.09.2022 16:00:40 UTC — Message 10/37
File list is being uploaded. It takes time. I will let you know when I'm done.
[lockbit3.0] — 23.09.2022 21:57:38 UTC — Message 11/37
[REDACTED URL]
[lockbit3.0] — 23.09.2022 21:57:51 UTC — Message 12/37
password conti123
[lockbit3.0] — 23.09.2022 22:02:44 UTC — Message 13/37
use [REDACTED URL] to review list.
[Continental] — 23.09.2022 22:04:33 UTC — Message 14/37
Hello, Thank you for providing the proof of data. It will take us some time to verify the data. We will come back to you as soon as possible.
[lockbit3.0] — 23.09.2022 22:07:56 UTC — Message 15/37
The list is very large. Hope this won't take ages to review.
[Continental] — 26.09.2022 12:26:55 UTC — Message 16/37
Sorry, it has taken us a while to be able to view and start verifying the data due to the size of the file. To prove that you hold the actual data and not just a list of files, we are currently putting together a list of samples we ask you to provide. We will send you the list asap
[lockbit3.0] — 26.09.2022 13:36:27 UTC — Message 17/37
Hello, okay.
[Continental] — 27.09.2022 17:28:58 UTC — Message 18/37
Following up on our message from yesterday, we are still in the process of verifying information. In order to prove that you hold the actual data and not just a list of files, please can you provide the following files as proof of data held: I:\continental2\upload3\did01447\040_QAC_Cleanliness\11_Partikelmonitoring\02_Luftsauberkeit\01_Monitoring\Arbeits-Sheet-Luftsauberkeit_Auswertung Q2 2022 und Sondermessungen.xlsx, H:\continental\upload4_c2\didr1618\MMA_Fahrversuch\06_NVH-DL_Sommer_2022\Daten_NVH-DL_Block1\ATF_10\180622_004\EKB_Data\EEW\180622_004_rl_nr00109_chn0007_eew.wav, H:\continental\upload4_c2\didf3403\Common\Projects\JR-Jeff Ross\Instrumentation Master Database\Archive\Master Database Allentare Fixes March 2016.xlsx, H:\continental\upload4_c2\didb3040\MCAD\ptc\Help\Creo3\help\creo_help_pma\italian\pma\rendering\To_Open_a_Room_File.html, I:\continental2\upload3\hpfs002.tiretech.contiwan.com\HPG-Orga\GCF_TS\PROJEKTE\CT-Mexikana\!Erweiterung 6\CE\Einbauerklärung Elektrotechnik Konwima + Kernsetzer Türkei 2110791.pdf, E:\continental3\upload_c2\did43391\31_ProductDevelopment\40_Software\20_Development\BOT\CPC4_V4_16\pvcs\config\BS_Common_src.arl, F:\continental\upload4\did77091\PROJETS\Radio\RD45\07_MP\02_MP_QualityAssurance\210-Capabilité_equipements\Bizerte\Inspection optique\repetabilité vision SICKconnecteur MOST ilot 1 RD45 BCL tiroir droite.xls, E:\continental3\upload_c2\did43391\99_Workuser\Satvanyi\Boot_v04_16_with Source Address 0x32\config\BS_Appl_src.arl, F:\continental\upload4\didb3019\Konstrukce_Archiv\P-pomocne\P1-1103_Paletka_vytvrzení\Data\(5) Pojistka_výkres.idw, I:\continental2\upload3\did35017\Interior_Innovation_Vehicle\03_Development\05_Hardware\03_Parts_Components\14_HMI_PC\02_OS\Image_WINXPembed\2_Anpassungen-Tools\app\DemoFPK\DemoFPK\msgina.dll, F:\continental\upload4\didb3020\Neplatne_NotValid\Kvalita_Qualitaet\Statistika\Brandys\KS\Vn-Auswertung\2002\11_2002\VDO\Colorado\VnPlovákSest-VDO.xls, E:\continental3\upload_c2\did01155\pua\01_Operations Controlling\2022\01_Actual\01 Reporting\00_general dashboard, E:\continental3\upload_c2\did02299\TM_community_RBG\140415_Documentation_Test_Strategy_Safety_MY16, F:\continental\upload\10Werkstoffe\CR\ROHSTOFF\CC\03\58\02 VULCAN 5H (Cabot, Botlek, NET)\2 - Specification, TDS, CoA
[lockbit3.0] — 28.09.2022 00:22:17 UTC — Message 19/37
Hello,
[lockbit3.0] — 28.09.2022 00:22:27 UTC — Message 20/37
[REDACTED URL]
[lockbit3.0] — 28.09.2022 00:22:41 UTC — Message 21/37
password conti456
[lockbit3.0] — 28.09.2022 00:23:30 UTC — Message 22/37
Files you requested are uploaded.
[Continental] — 28.09.2022 09:41:49 UTC — Message 23/37
Thank you for providing the sample files. We will verify them and come back to you.
[lockbit3.0] — 28.09.2022 16:26:09 UTC — Message 24/37
Hello, okay.
[Continental] — 03.10.2022 09:09:43 UTC — Message 25/37
Hello, we are still in the process of verifying information but it is taking longer than we anticipated. We hope to complete the verification work soon and appreciate your patience. Can you confirm if the list you provided covers all the data you hold?, or was it only some of it? The list did not give details of file sizes. What is the total size of all the data?
[lockbit3.0] — 03.10.2022 09:35:00 UTC — Message 26/37
Hello. We understand. Yes, the list contains all the data we have. You have never asked for file size information. The total size exceeds 40 TB.
[lockbit3.0] — 19.10.2022 10:16:31 UTC — Message 27/37
Hello. Your silence lasts too long. You need to pay.
[Continental] — 20.10.2022 16:47:47 UTC — Message 28/37
What guarantees do you give if a payment is made?
[lockbit3.0] — 22.10.2022 15:00:37 UTC — Message 29/37
Hello. Your files will be deleted and nobody will know about the breach if a payment is made. Your files will appear on our leaks site if no payment is made.
[Continental] — 24.10.2022 13:43:32 UTC — Message 30/37
Hello, we have to hold a management meeting and will come back to you tomorrow end of business day.
[lockbit3.0] — 24.10.2022 15:46:09 UTC — Message 31/37
Hello, ok.
[lockbit3.0] — 26.10.2022 07:55:07 UTC — Message 32/37
Hello, no word from your side though it is a new business day already. You need to pay.
[lockbit3.0] — 27.10.2022 11:46:09 UTC — Message 33/37
Hello. We've been waiting.
[lockbit3.0] — 28.10.2022 15:07:03 UTC — Message 34/37
Should we regard your silence as a rejection of the negotiation process?
[lockbit3.0] — 02.11.2022 00:53:22 UTC — Message 35/37
We're starting to get your data ready to be published on the blog.
[lockbit3.0] — 02.11.2022 00:56:59 UTC — Message 36/37
Our correspondence will be attached to the post.
[lockbit3.0] — 03.11.2022 00:15:30 UTC — Message 37/37
[REDACTED URL]
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →