// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Millennia Professional
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Millennia Professional. The negotiation consisted of 43 messages exchanged over 23 days, beginning on 2023-01-02.
The initial ransom demand was $2,023. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
Hello dear sirs, How much to unencrypt files on my network?
bump
300 000$ fo all
300 000$ for all pc
Also, if you have any thoughts of refusing to pay 2023-02-21 07:16:07, we will publish the data that was stolen from your online storage. If you choose to use the backups you have, we will simply publish your company's financial documents. At the moment your documents are being processed in our TOR cloud storage, in about 2 weeks they will be available. For now, we can only report the volume of stolen data - 30 GB.
Thank you for the update. I will let management know.
ok
Trying to understand what 300,000 is for. This will unencrypt the files on network? I am being told that some are encrypted with lockbit 2.0 and others with 3.0. Is this able to be done at once?
300,000 for all computers. We will give you both versions of the decryptor for both the 2.0 and 3.0 Black versions
And the published data?
The data will not be published and will be deleted automatically upon payment
Thank you. I will relay the information.
ok
File: [files_tree_b4e3588c39.txt]
This is a list of your data that was stolen.
Is this a complete list?
Yes
Thank you, I will relay.
ok
any info?
[REDACTED URL]
We are recieving phone call because we are no communicating in chat. I this your team or am I communicating on the wrong channel? I have been tasked in finding out what country your group originates from and if there is any movement on the number you have given?
Yes the call was indeed made by us
We attack companies all over the world and speak virtually every language.
I'm sure you do, but to which country is the money going when you get paid?
Also, is there a movement on the 300,000
The payment is made in BTC cryptocurrency and you will never know about it. However, we can say that we are not political hackers, you just have weak security and we need money, that's all.
bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6 - BTC wallet
300,000 is a lot of $$. Can that be reduced?
On your feed, it says $500,000
If the documents that we have get into the public domain, believe me, this amount will seem insignificant because of the losses that can result from leak
I will take that information back to them.
This is the price for your competitors, if someone wants to buy your company's internal documentation, we will sell it to them, but the sooner you pay the amount offered to you, the less likely it is that someone will use the information
If you want to keep your data from falling into the wrong hands or other organizations, you need to resolve the $300,000 ransom payment as soon as possible, and the data will be destroyed
And accordingly you get a decryptor for both versions of Lockbit 2.0 and 3.0 black
Appreciate the clarification
Do you have any new information? Have you started preparing to pay yet?
I do not at this time.
You have 17 days left, we advise you to prepare everything in advance
Noted.
Hi, do you have any new information?
We are willing to drop the price for you. The final price is $200,000 this is our final offer!
// Analysis
Analyst Observations
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.