// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Kaycan
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Kaycan. The negotiation consisted of 94 messages exchanged over 12 days, beginning on 2023-03-06.
The initial ransom demand was $8.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
hello?
Hello
if you want decrypt, you'd better start a dialogue
OK. I read you took files and that you have a decryptor to decrypt files. What are these files and how do I know you can decrypt the files you left?
Send me some encrypted files, I will decrypt them for free.
I see you're not in rush having business with us. I don't think it's in your interest to be penalized for that.
If you keep quiet I will start to leak your data
It take time to collect files wait please
File: [Laval encrypted files.zip]
File: [Sayabec encrypted files.zip]
Can you show me the files you took and what your demands are?
I uploaded some test files
wait for test decrypt
i'll provide you some proofs of stolen data soon
vm files are not allowed for test decrypt, just not important files like .log file
while i'm preparing proof for you let's talk about business
you need to pay 8 million doolars to get decription software and deleating stolen data
That is a lot of money, so we need to see what data you took to assess what the business is able to discuss.
all files I gave you are low value. I would not send you anything important but we do want to ensure VM files would be able to decrypt
it's a good price for your company
We can certainly discuss what is a good price and how we can be assured of agreement.
decryption software works with all files but we have rules and for trial decrypt vm files are not allowed
of course
I'll come back later with proofs
.vmx impossible free decrypt
File: [decrypted_key.rar]
vmx is a config file. Why is that not decryptable?
take a partial screenshot so we know your decryptor works.
File: [1.png]
File: [3.png]
File: [5.png]
File: [4.png]
File: [2.png]
can I get a list of the files taken rathrer than a few files?
File: [1.7z]
File: [1.7z]
ty will review
get a move on, 3 days already gone and i don't see your offers
is this a partial list? did you mean to send 1.7z and 2.7z?
no
check this list and lets talk about business
Your time is almost up.
show me these files Employee Roster HYZ 10312018.xls, Devis Entretien Ménager Uniboard-Unires Val-d'or 2023.docx, Employee Total Hours Report HY1 Salary 10312018.xls, PAYROLL9122015.xls, Mont-Laurier vs LaBaie HDF.xls, Panneaux de paille.xls,
please bear with us time-wise. We are trying to deal with this as quickly as possible. Thank you.
choose 3 of thees files
File: [files (1).7z]
here you go
ty
Stop stalling, I want to see numbers from you, otherwise I am preparing a press release.
you have 6 hours to give me answer
We would like to reach an agreement however we are not sure how you reached that price you are asking for? Can you offer a price that we can digest and agree?
Before encrypting any network we do deeply study them. We know how much you can pay.
How do you know how much debt we carry? None of the information you may have seen would include that. Is there any flexibility on the price?
I don't really want to keep this conversation What do you want? Give me your offer
I have no interest in insulting you with an offer because your starting amount is significant than what we have liquidity to allocate to this without debtors locking us out.
I still want to see your offer. Well maybe we need to prepare a blog post for you and close this chat. I can't decide
but why did you post us?
can you remove our post?
our board has agreed to offer 500k to close this incident. Do we have a deal?
Because it semms you don't want to make a deal and waisting time
the blog private now, i just want you know that i'm not joking with you
The amount is nothing for such a company. You have a time until tomorrow to make a real offer. Otherwise I will put a blog to a public page.
we know that.
but you see? I told you that you do not understand our situation so why even ask for an offer?
Look I just need to tell my management something. Are you able to provide a more reasonable price or not? the fact you already published means the company needs to take calls from the media.
What was you doing last week? You just wasting my time. You see my price
you are asking for a large amount and this requires high level of approvals. We cannot move so quickly. I know you want to get paid quickly but if I decided to ghost you we would not have been here.
today i will public your blog, tomorrow i will start to upload your data for public access.
I just want to confirm for my management, you are not interested in discussing your demands? correct?
i'm not interested in 500k$
Is there a middle ground we can reach agreement on?
i dont want to answer questions, a want to see real offer. show me what you got
btw discount possible just if you pay on this week
I understand, but I am sure you know how boards work, they want to approve a specific amount not some imaginary number. If you can advise what is a realistic number for a deal I am happy to present it.
8m $ is very realistic number for your company. i can give you discount 10% just if you pay this week. This is a good result of your work.
any update?
I hope to hear from management very soon
hurry up
Just completed a board discussion and the board is willing to settle this at 1.5m $ this is a big increase as you can see from our former amount but we hope you can see how serious we are to address the situation in an amicable fashion.
I can't access that amount
I see you're not impressed an effect of our blog post. Tomorrow the blog will be available again with. I don't care if it will not increase the offer but at least next time the recovery company will make things faster
I am awaiting our management executive to confirm what is possible in terms of an amount for this case. You have to understand we are looking at data and cost of the incident to us. I will likely respond to you tomorrow. If you publish us again, it will have no more impact that your publication already did.
We scheduled an afternoon board meeting as I am at my limit from a $ perspective. I will be in touch tomorrow afternoon/evening time frame.
so what?
we are just finishing the meeting where the Board approved 3.0m $ and we see you posted our company again
are you ready to pay right now?
Absolutely not. You posted us when I explained to you that we might increase our number. Remove the fucking post and I will try to save this on Monday but I am literally not promising anything. It is your choice.
first of all it's your words
"If you publish us again, it will have no more impact that your publication already did. "
second thing ufter using "fucking" your price is 5 million and it's your last price
I warned you several times, you thing that you can do what you want. probably no.
you have the power. I told you what I said, I stand behind my statements. Your call.
you know the price, work on it.
// Analysis
Analyst Observations
- The initial demand of $8.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.