// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Contec
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Contec. The negotiation consisted of 52 messages exchanged over 50 days, beginning on 2023-03-21.
The initial ransom demand was $4.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
We found your note and it brought us here. What is it that you want from us?
Hello, you need pay.
Also we downloaded a lot of information from you.And so far we haven't published anything.There is no mention of an attack.
soon we will send you a tree of stolen data
[REDACTED URL]
password Y$aP2bsG6vO6oS@C$ISV$FfAo
We are a small company so please give us time to go over the list. And what exactly do we need to pay?
So why do you start negotiations with lies. We know exactly what kind of company you are. How much money you make, how many employees you have, computers, and so on. The ransom price is always fair. $4,000,000
I want to warn you right away. If you don't actively negotiate, and you drag it out, your name will quickly end up on our blog
$4,000,000 is a ton of money, were are going to have to discuss with the team on what we can do here so please be patient while we try to figure that out.
Okay. We'll wait.
We've had a chance to discuss and review this internally. We're not starting anything with lies, and we have no intention of dragging anything out. We also want a quick resolution here, but $4,000,000 is an unrealistic amount for us. We can offer you $200,000, which to us is a lot of money. Would this be enough to get your help here? We don't even know if you can restore our files.
We are guaranteed to decrypt all your files.You can also use the decryption test.Our reputation is impeccable!But your offer is not serious.We will not accept it
We are doing all the work we can and $200,000 is serious money for us. We don't deal with this sort of thing day in and day out like your group may, but we are still hopeful that we can work something out. To that end we would like to ask if you could come down off of your price.
Okay. $3,800,000
We're going to need a few days to meet and discuss what we may have available because we can't pay anywhere near the $3.8M you're asking for. Like we said, we're hopeful that we can work something out but we're still trying to process the amount you have asked for. We'll provide an update either Monday or Tuesday.
ok
We've spent the weekend combing our finances and we would like to tell you that we can't afford $3.8 million dollars, however we would like to pursue a deal. We have been able to make $300,000 available. We hope you consider our offer because it represents our current financial capabilities
3700000$
We understand that you want paid and appreciate you reducing your price but what you are asking is still far away from what we can offer you. We have worked hard on freeing up additional funds and we can increase our offer to $350,000.
3650000$
time to pay
We simply cant pay what you're asking for. We offered you a lot of money and ask that you reconsider our offer or come down further so we can come to some agreement in the near term. Are you able to come down further?
What you suggested does not suit us. We gave you a discount
Your demand of millions of dollars isn't something that is reasonable or feasible... we just don't have that kind of cash. We ask that you help us out with a reduction in the price.
$3,600,000
You have taken the wrong position. As long as you negotiate in this way, we will not get to the right result. We're not going to give you a big discount.
well?
Thank you for the discount but as we keep telling you we cannot afford anything near that price. We are still working as hard as we can to free up additional funds. We have a meeting scheduled this week to discuss and will give you an updated offer after our meeting.
Good. We'll wait for the results of your meeting.
well?
Your price is still far beyond anything that we're able to pay. This has been going on for some time now and we would like to put it behind us. To that end we would like to offer $375,000 to be done.
Your price is still not satisfactory to us. We will give you an additional discount. Paying $3,575,000.
That's still far beyond what we're able to pay and we're not going to have everyone available this weekend to discuss further. We will discuss your offer when everyone returns after the weekend and we will reach out then.
We are waiting for an answer tomorrow.
?
We were able to meet and we can increase our offer, although not by much. We can make $400,000 available to settle this incident. Can you accept?
Unfortunately, that's not enough either. We have consulted and decided to give you an additional discount of $75,000
$3,500,000
Decryptor will delete at - 2023-04-20 10:43:18
As you can see in the chat window, your decryptor has been removed
We saw your message and see your site says the decryption tool has been deleted. Are you telling us we have no way to restore our files now? Is it actually deleted?
I saved the decryptor before deleting
When will yoy pay? it's time to pay
If you do not respond, we will consider this to be ignoring and will have to move on to publication. You have no initiative in resolving the issue, you are not contacting us, do you want us to publish your data?
Thank you for not deleting the decryptor and we were concerned it would be gone. We understand you want to get a deal done, but you encrypted our files at what was already a very difficult time. We had just recovered from another ransomware event with a different group. We had only barely gotten our systems running again. After dealing with that, we do not have much of anything left to offer you due to all of the costs associated with the first ransomware group. We want to purchase your decryptor and get back to business but we simply cannot due to the first attack.
Apparently after the first attack you did not understand that it is necessary to monitor the security of systems. After payment, we will let you know how your network was penetrated, we will not attack you again and tell you what to do to prevent such cases again. The first group didn't give you any advice?
No, the first group did not give us any advice. And unfortunately, as we have said we can't pay the amount you are asking. If we could, we would gladly pay it. Two of these attacks in very short order has left us very distraught and in a bad place. But we cannot give you what we don't have. We can still offer you the same amount we did before of $400,000 that we can pay in short order if you are willing to accept it. We just want to be done with this and get back to business as this has been extremely difficult for us.
No, it means that the first attack did not make you understand that you need to monitor and ensure the safety of your company, employees and reputation. You have to pay for all that. Usually companies take care of this, pay good sysadmins, buy different programs and more, but in short ensure security. Or pay for pentest services with post-pay, which is what we do, and we know the price of their services and their work. Based on all this, the amount you offer is very small, and it is not enough to solve the problem. The price is $3,600,000.
Well? Time to pay, or else the first part of the data will be on the blog. You have been given plenty of time
[REDACTED URL]
// Analysis
Analyst Observations
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.