// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Redacted Organisation
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with a redacted victim organisation. The negotiation consisted of 137 messages exchanged over 23 days, beginning on 2025-02-11.
The initial ransom demand was $70,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
You can attach a few files for test decryption by packing them into an archive with zip, rar, tar, 7zip, 7z, tar.gz extensions of no more than 10 megabytes using the attach button directly in the chat.\r\n\r\nIf your archive weighs more than 10 megabytes, please use our file sharing service.\r\n[REDACTED URL] security reasons we do not click on other links you send in chat.\r\nPlease wait for a reply, sometimes it takes several hours due to possible time zone differences.
Hi Lockbit, this is [redacted] and saw the post and may we ask to get the directory listing of all the files that you have. May we ask for more time so we can inform our stakeholders for them to assess and consider our next move? Thank you for understanding.\n
[REDACTED URL]
you can download all the files that we have and see for yourself
the blog was taken down for a while
Thank you for your consideration.
Good day, may we negotiate the amount you have in mind and what in turn would be Lockbit\'s end of the bargain.
120k$ in bitcoin
After payment, 100% of your files will be securely deleted and our team won\'t bother you again. You can trust us by reading about us on the global internet. We value our reputation
our deals run on a regular basis, client want to solve the problem before first posting information on the blog
Dear Lockbit, may we state that last year was the only time we were profitable and we only earned $200k. We have also notified the regulators and our clients as well as required by law since the encryption last January 25 caused a major outage. That said, we were able to restore operation with some backups, albeit with some data loss therefore decryption wont really be necessary. Please give as an amount that we can get back to our leaders to be considered.\n
maybe we can lower the amount, but not by much.
in the process of working with you, we thought about 100k.
our principles have become worth more than money. However, a discount can be negotiated.
Thank you for your consideration. 100k is still very steep for us as its half of our revenue which will be negated with the damage caused by the outage. May we respectfully ask to please significantly bring it down since we are only technically be requesting for the deletion of the data and we do understand that this is just business for you.\n
I don\'t know how much you\'d be willing to pay.
but I know it would be a big problems to you if we released your data in blog.
They often say they\'ve had a bad year, but they\'ll still have to pay.
If I give a price now, it will be the last one.
We understand, and we actually had a good year last year since thats the first time we were positive. But this incident wiped it off all away and will be spending more in recovery. Also, the directors are there just for name as a favor and add credibility which by the way is now in shambles, but they dont really contribute, otherwise they would have sent their army of IT to help us recover. I am looking at 10-20K to comeback to the heads and this will be coming from our own personal funds. While there will be some issues on publishing this, as we mentioned, we have already notified the clients and regulators about this breach.
by the way, you downloaded your backup files, which will help you as well.
20k is not possible and 50k is also not possible, companies much smaller than you pay us such amounts
We are not paid from IT team, they do not have that kind of money. We are paid by the heads of the companies
we don\'t need from yours own personal funds
we can\'t agree on this
we were already aiming to publish you, you may have noticed by the posting time of only 1 day.
you are lucky that you reacted quickly, we did not expect this
even though there was a warning on viber
why didn\'t you react immediately
it\'s your fault
I consulted and asked for another discount for you, our price will be 70k
and we will not rush you to pay
your office will allow you to pay that amount
Thank you for your concern and consideration, yes this funds will not be coming from IT. But we only have one owner, as we are a small private company, and he will have to cover everything. We were unsure of the viber message, but here we are. We will come back to you if we can convince him to pay 50k as this is still big for one person.
in the message in Viber there was a link to your archive to make sure
our price was 70k you write about 50k, let me talk to the team and agree on 60k for everyone
Ok, let us know. Thank you.\n
we agree to 60k, decision is yours
Will relay this and come back with a decision tomorrow morning as its 1am here. Do you have a code name or nickname so we know we are talking to the same customer support tomorrow?
ok, on your time 16-17 o clock, I\'ll be online in this chat, possibly earlier
Ok, thank you for your patience.
Thank you too, good luck.
Good day Lockbit, we have met and we have come up with our final offer of 30k. Please do consider that we are only asking for the deletion of the data as we have already notified the regulators and clients about the breach as mandated by law. So this is just to minimize exposure so we can concentrate in the restoration activities. Hoping for you kind consideration.
you know, if we publish your data, you will lose more than 30k
they will also end up with your competitors, and you will be on the verge of closing down
If your directors wants to get off easy, it won\'t work
30k doesn\'t mean anything to us.
We are waiting for another offer from you
our last successful data deal that we had was for 500k, clients pay well for their data, not for encryption
we made concessions to you, but you\'re upsetting us with your offer.
Let me get back to you.
Hi Lockbit, I\'ve talked to our heads and most of them are against of paying at all. We don\'t know much about your business and the heads are insistent that you would go against your word and sell the data nonetheless. We\'ve been transparent with our regulators and clients and have been working days and nights non-stop for restoration activities. And now, we just want to minimize the damage and hoping for peaceful restoration activities by deleting the data that you have. \n\nThe heads don\'t want to pay at all but I\'ve told them that you value your reputation as you said and have managed to convince them to pay 40k for the destruction of data. Kindly consider this offer.
We keep our word! only one person and me has your files, after your payment 40k, they will be securely removed by the program [redacted]
we were going to agree with you for 50k, but okay, I personally agree with you on 40k
Thank you for consideration. Do we have a deal at 40k?
you need to buy bitcoin, write to me when you are ready and I will give you a wallet
40k$ in bitcoin
I will relay the agreement and will get back to you tomorrow same time. Thank you for your consideration.
ok
Good day, we are now preparing the funds and should be ready by Monday. We need help in converting to bitcoin. Would you be able to point us to how any of your previous clients from the Philippines is able to acquire bitcoins for payment?
Hello, I can only give you a our bitcoin wallet
[REDACTED URL]
here you can see where to buy bitcoin
Thank you and will check this out.
Good day Lockbit, we are consolidating the funds and should be completed within the week. We have candidates on where to purchase bitcoin locally with minimal paperworks and will be talking to them on Thursday.
Good day, please don\'t delay for long time
Rest assured we are doing our best to process the funds immediately. Thank you for your patience.
fine, I\'m not hurry you
I\'m waiting for you on Thursday
Yes, will give update by then. We are really trying to get the money out and buy crypto but it\'s harder when we want less paper trail. This is also the first time we are doing this so thank you for your patience.
Good day Lockbit, we\'re expecting to get the cash out by Saturday or Monday then we can start purchasing the coins next week. Will update you again on Monday\n
Thanks, allright
Good day Lockbit, \n\nWe have finally acquired the funds and is now in the process of buying bitcoin. We are evaluating possible sources of bitcoins this week without KYC then it might take some time since we have to split the purchase under $8,000 to avoid being flagged. We\'ll give you our wallet address once we start purchasing so you could monitor then we\'ll do an initial test transfer to you after.\n\nWe could send you a picture for proof of our activities with your required instructions if needed. Thank you for understanding.
Hello, proofs not need, we\'ll wait
Thank you for the trust. One of us got a call from an unknown number in Lithuania, please give us time to purchase bitcoins.
I don\'t know who called, not us, we just waiting
how are you doing with buying bitcoin ?
how long do you think it will take ?
We will be splitting the purchase to avoid tripping regulatory limits, so once we have a seller, the estimate time is 2 weeks.
we have never waited so long, and the amount is not large
this is suspicious, why are you delaying time
anyone can register a personal account on the exchange and buy bitcoin in the moment
very long and it becomes strange
Apologies for the wait. We are doing precautionary measures to minimize our trail of buying bitcoins and paying for the ransom.
We can send you the picture of the cash with a marker you will request as proof. But we can\'t deposit this to a bank and use that account to buy crypto without paper trail. Hope you understand
you can put cash on a card of a person not from the company, and he will be able to buy bitcoin in one click on a popular exchange, for example, binance.com
do not use personal exchangers, they will have a bad rate bitcoin and they may scam you
Yes it was an option before but Binance is banned in the Philippines and can\'t get them from the app stores or create accounts. We are talking to 2 possible sellers. Please be patient, this is the first time we are doing this kind of transaction. We do have good progress.
ok, no problem
Good day Lockbit, we already got the crypto this morning. Could we do the transaction within today since the market is going down. Would like to conduct test transfer first before giving the full amount.
Hello, great
[redacted]
this is a btc wallet, you can send test transfer
Alright, will now start sending test transfer payment of $100.
We would like to mention that we bought 40k USD worth of bitcoin this morning but with the volatility and transaction fees it will be less. Hope this is okay with you as we want to complete the transaction. Rest assured that we will give you all the btc we were able to acquire.
ok
Test transfer of $100 worth of btc has been sent to your btc address and is now PENDING in status. Please confirm once received. Thank you.
The status of the test transfer is now COMPLETED, could you please check on your end?
+
test transfer came
0.00124505
you can send all amout
We would like to split the next transactions in case we make a mistake. We will next transfer 20k usd in btc first and then the rest of the amount. We hope you understand and this is okay with you.
yes of course, ok
Split transfer of $20k worth of btc has been sent to your btc address and is now PENDING in status. Please confirm once received. Thank you.
Could you help me a bit, may I ask the details of how you got access to our network? Did you exploit our public web app server or phish our users?
is fine, 20k confirm
remove the admin from the domain who controls infostructure, no matter what antivirus you install, the domain will always be vulnerable
got to you through phishing, but I don\'t remember the first host
and you had very easy passwords
I followed the work [redacted], and waited for him to log into Google Backup
about a month
sorry can you transfer the rest, i\'m very late now
I need to go and I\'ll be here in a few hours
Within 24 hours your archive will be deleted from the blog, also i use software [redacted] delete archive from physical pc\nI\'ll send you a screenshot, you don\'t have to worry, we won\'t bother you anymore and your data will be securely deleted
Sorry just wanted to clarify does this mean you were able to get glen moyo\'s account through phishing as well?
We are now sending the rest of the payment. Thank you for your response.
Rest of the payment has been sent to your btc address and is now PENDING in status
we got into the network through a manager with user priv, and dump ntlm local admin access on all the hosts in the domain.
then we found the admin in the domain
[login]:[password]
You have a Kaspersky server in your domain, remove it
thank you, the full amount has been received
I\'ll be back a little later and get to work on deleting your data
You can also ask what you need, I will answer
now sorry me, I need to go
Thank you and apologies for the questions, on the domain, could you expound a bit as we didn\'t have domain configured yet at the time of the incident.
Let me come back and of course I will answer
It\'s alright. Thank you. We\'ll get back on this chat to check in on the deletion as well.
I\'m expected, I have to leave now.
of course i will be here
thanks
Your data was deleted
[REDACTED URL]
proof
Thank you for this. May I ask another question, we\'ve read from reports that you often use Anydesk in your attacks, can you explain how it is relevant to you?
Hello, you had anydesk installed on many hosts, we just used it to get back
// Analysis
Analyst Observations
- This is an unusually long negotiation, suggesting extended back-and-forth and significant engagement from both parties.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.