// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Guardian Analytics

27Messages
28 daysDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Guardian Analytics. The negotiation consisted of 27 messages exchanged over 28 days, beginning on 2023-01-23.

The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Guardian Analytics] — 23.01.2023 15:21:44 UTC — Message 1/27
[Chat started]
[Guardian Analytics] — 23.01.2023 15:23:00 UTC — Message 2/27
You encrypted our network, what are you asking for to decrypt?
[lockbit3.0] — 23.01.2023 15:52:31 UTC — Message 3/27
And we also downloaded data from your network
[Guardian Analytics] — 23.01.2023 16:57:24 UTC — Message 4/27
ok, so what are you asking for?
[lockbit3.0] — 23.01.2023 17:20:48 UTC — Message 5/27
500000$
[Guardian Analytics] — 23.01.2023 18:25:57 UTC — Message 6/27
Can you provide us a list of the files you took to prove you actually have our data?
[lockbit3.0] — 23.01.2023 18:36:11 UTC — Message 7/27
ok wait
[lockbit3.0] — 23.01.2023 19:37:34 UTC — Message 8/27
File: [GUAR.txt]
[lockbit3.0] — 23.01.2023 19:38:43 UTC — Message 9/27
this is a small part tree of the stolen data . we will not send a full tree, so as not to violate the confidentiality of data. You can select multiple files from the list, we will send them to you, as proof. please note that the lines in square brackets are folders and not files
[Guardian Analytics] — 23.01.2023 20:10:57 UTC — Message 10/27
I cannot get that file to download, can you give it to me from somewhere else, its timing out
[lockbit3.0] — 23.01.2023 20:17:51 UTC — Message 11/27
[REDACTED URL]
[Guardian Analytics] — 23.01.2023 20:40:29 UTC — Message 12/27
ok thanks, I was able to download that one
[lockbit3.0] — 25.01.2023 05:43:24 UTC — Message 13/27
Have you checked out the files?
[Guardian Analytics] — 29.01.2023 18:21:26 UTC — Message 14/27
we did but ther are only a few files in that list, we arent paying you anything for like 15 files, none of those files you showed us have any value to use. Please provide a full file listing
[lockbit3.0] — 29.01.2023 18:31:25 UTC — Message 15/27
ok
[lockbit3.0] — 29.01.2023 18:52:34 UTC — Message 16/27
[REDACTED URL]
[lockbit3.0] — 29.01.2023 18:52:45 UTC — Message 17/27
ggjQNoHymP#y*5W!fqu(%%Z#2
[Guardian Analytics] — 30.01.2023 13:46:25 UTC — Message 18/27
OK i will take this to my boss and see what he says
[lockbit3.0] — 30.01.2023 13:58:23 UTC — Message 19/27
OK
[lockbit3.0] — 03.02.2023 00:44:28 UTC — Message 20/27
[REDACTED URL]
[Guardian Analytics] — 13.02.2023 18:05:51 UTC — Message 21/27
So, we are still looking through the data and will get back to you in a couple of days
[lockbit3.0] — 13.02.2023 18:15:58 UTC — Message 22/27
In a few days your data will already be published. hurry up
[lockbit3.0] — 15.02.2023 12:14:53 UTC — Message 23/27
When will you pay? Our patience is running out.
[Guardian Analytics] — 15.02.2023 15:19:47 UTC — Message 24/27
you said we had until the 18th, we are still looking through the data. This not easy, its alot of data and all we have are file names to trace back to. We also are having trouble figuring out where the data came from to be able to look at it to determine what it is
[Guardian Analytics] — 15.02.2023 15:20:12 UTC — Message 25/27
this is no simple task
[lockbit3.0] — 15.02.2023 16:38:56 UTC — Message 26/27
you are doing the wrong thing. while you are doing nonsense, we will publish your data. this data was taken from your network, don't you know where and what data is stored on your network? this is very stupid, no one is doing what you are doing now, although we have taken millions of files from some companies
[lockbit3.0] — 20.02.2023 13:29:04 UTC — Message 27/27
Hi, what's the news?
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →