// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — La Poste Mobile
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with La Poste Mobile. The negotiation consisted of 93 messages exchanged over 5 days, beginning on 2022-07-06.
The initial ransom demand was $600,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
Hello.
I think you understand what situation you are in, you have 2 options for the development of events, the first is that you start cooperating with us, pay the amount we need, get the decryptor program, we delete the files stolen from you. Either you keep silent and refuse us and we will start publishing the personal data of your customers, you have a fairly extensive database.
little sample from your database export, [REDACTED URL]
Hi,
i have 2 questions How much data in GB or TB have you exfiltrate? And how much would you like?
did you get our example? let's say we have more than 1 TB, we will issue all the rest of the information after payment.
the decryption price for you is 1.400.000$ after payment, we will immediately issue you a decryptor, a list of databases stolen from you, and also their removal.
yes, could you send me a new sample please ?
One sample is enough. Think about payment, you have little time, our patience is running out.
in fact the files that i've downloaded is an old files, if you don't have a fresher sample, I wouldn't buy it at this price..
We will gradually publish the files downloaded from you, first unloading from the databases, then the databases themselves, then the files. You have a price, think. This price also includes the decryptor program.
Regarding the relevance of the data, it is strange that fresh dates are registered there, specifically in the first database that is ready for publication.
don't want to negociate ?
Wait for your offers.
ok if you send me a new fresh sample ..
You were given one example, that's enough, our task is to show you that we have something, and then think for yourself. I'm listening to your payment suggestions.
ok then I will wait for your first publications ..
Good.
For the other targets, you've published different files and for us just this database extract. so i have a doubt if you have other files, i am ready to negotiate but if you have only this database, it will not be at this price..
We are open to negotiations about the price, we have given everything you need. Files will not be opened until publication.
Think about your reputation, you have money, pay and keep customer data safe.
see you later .. i'm sorry i'm sick i have the covid
Good luck. Get well.
You still have 3 days to think about your clients and make us an offer based on the data we gave you.
File: [4.png]
One of the bases that is ready for publication on Monday.
We offer you $100,000 for everything, knowing that it's the weekend and everything is complicated
in addition it is the holidays in France
I will go to your meeting and make an offer of one day, 600.000 for everything, and the issue with us is closed. Believe me, we don't usually make such offers.
I can't go to a meeting I have covid, but I already know their answer..
The initial amount that was billed to your company is 1.400.000, we are ready to meet you and reduce the amount to 600.000 thousand dollars, but this is a one-day offer, after payment you will receive a complete list of the files that we stole from you, we undertake to delete them, and you will also receive a decryptor program that will decrypt all computers that have been attacked on your network.
if I don't have the list of files I couldn't negotiate with the management..
I know that you have the cards in hand, but my hands are tied without the list
I've already sent you more than I'm allowed to, and I'm going to meet you. You should work with what you have, if you want to negotiate with us, we are waiting for a new offer from you of a more realistic amount.
I have nothing more to offer you at the moment and the screenshot of the database does not speak to us..
Now I will send you a couple more tables from this database.
ok if I have marbles I can negotiate without marbles I cannot .. it"s a french expression
I will definitely remember this expression. By the way, do not forget about another marbles called the decoder program
The system is gradually getting back in place.
[REDACTED URL]
[REDACTED URL]
When you download the files, tell me I will delete them.
ok for me you can delete them
done.
you don't have more crunchy ?
That's enough, we are waiting for your offer. Everything else after payment.
not for us ..
Then wait for publications, 100.000 does not suit us.
sorry , it is not who decides ..
maybe it will be clearer
wait and see ... is it sunny in russia?
I don’t know, I think you need to ask Ivan with whom your administrator communicates.
Today is a short day, we are waiting for an offer for payment, then we can talk about the weather.
Which of our administrators? sincerely i don't understand ..
When we got on [redacted]'s computer, he was in correspondence with Ivan.
After payment, you will receive not only a decryptor and deletion of files, but I will also give you a couple of tips for free on how not to get into such situations. I'm waiting for payment offers.
The flaw is the human so unfortunately there will always be flaws..
i'm like you, i wait ...
Waiting for what?
decision of my direction ...
Is it a good business ransomware?
The returns are certainly good, but you have to evaluate the consequences and live with it. This business does not forgive mistakes.
I understand, each his cross ;-)
Correctly. How are you feeling ? Is oxygen saturation in the blood normal?
It's good for the moment, I have a fever and I cough
to prepare the ground, could you send me your bitcoin wallet ?
as soon as you are ready for payment, tell me, I will issue the address. Wallets are valid for a limited time.
ola, if it's too limited it will never work, the processes are long here ... i prefer prepare the ground
I need to know the specific time, then I can prepare the wallet.
In addition, if we agree on the terms, then I will delete the post from the blog.
i don't know ... it's not my responsibility
I understand, but we need to come to something, let's say you say that you will pay within 2 days, during which time I will delete the post from the blog and give you the address.
you will have to leave the wallet for at least a day, otherwise it is not even worth imagining the payment, the decision-making circuits are very very long with us.
bc1qp5erh27wesmm8sxljg9p39nua02gd02e4cwk2e
i transfert .. thanks
I have deleted the blog post and if things get resolved soon I will delete your files from our servers and issue you with a decryptor. If you make the wrong decision, you know the consequences. I'm waiting for you with news.
Sorry management won't go over $100,000 , i just received the information .. up to you.
No, it's up to you, we are not satisfied with this amount.
300.000$, our last offer to you.
In case of refusal, we will gradually publish your files, starting with OTD_CLIENT and OTD_BOX (full export) - [REDACTED URL] Next, we will begin to gradually lay out your entire databases. It will definitely hurt your reputation. For the last time, are you sure about your decision?
You can see what I have prepared for publication at this link. [REDACTED URL]
150000$ no more ..
I'm starting to post files, all the best.
ok you have the card in your hand, not me .. i'm not decide ..
[REDACTED URL]
The last price is 300.000$ you have 4 hours to make a decision.
Management doesn’t want to pay anymore, not even $100,000, it has reconsidered its decision ...
i finished my work .. bye
Bye
[REDACTED URL]
thanks
Just in case management changes their mind and takes care of the customers.
// Analysis
Analyst Observations
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.