// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Newbridge
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Newbridge. The negotiation consisted of 70 messages exchanged over 31 days, beginning on 2023-01-27.
The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
hi. to decrypt the data and avoid publication you need to pay us. we haven't published your name on our blog yet
soon we will send you a tree of stolen data
We found your telling us to come here. What is going on?
need to pay
[REDACTED URL]
Thank you for the list. You said we need to pay, how much is that?
250000$
after payment, we will delete your data and provide a decryptor
The list is with leadership for review. Is this the full list of all data taken?
yes
time to pay now
Thank you for answering our questions. The leadership is reviewing the file list. No one was here over the weekend to get this done. Thank you for your patience.
OK
the list is rather large! How much data in all did you take? It seems like alot!
all the data we took is on this list. when you pay, we will permanently delete it, and decrypt all your systems. the sooner you pay, the sooner it will be over and you will go back to your old life
How do we know you have this data?
select some files from the tree, and we will send them
OK. I will get with my leadership so they can choose what files to send.
hurry
It's a long list. How much data is this?! We are hopeful to have the file names for you today or tomorrow morning.
ok
Here is the list of files. NEWBRIDGE\2021 DMHAS license\licenses expansion\attachmentsCO - Parsippany.pdf \ NEWBRIDGE\HR\HR FORMS\Job Posting & Change FormsCHANGE OF STATUS Checklist 1.14.2020.docx \ NEWBRIDGE\HR\Job Announcements\2022Clinician Sparta-FT internal- 9.2.22.docx \ NEWBRIDGE\HR\HR FORMS\AccommodationsAccommodation REQUEST - Employee.docx \ NEWBRIDGE\2021 DMHAS license\continuation letter 1.26.21New Bridge Services Inc. 1-26-21 Continuation Letter (003).docx
ok, wait
[REDACTED URL]
password qtuhK4vpjG^fgM5ZRm$psn5mO
Thank you for the files. I will give them to my leadership to review.
OK
what is the next step in this process?
You pay
How do we know you can fix our systems?
You have the opportunity to make test decryptions
After payment, we will provide you with a decryptor for the entire network, identify vulnerabilities and delete your data
How do we make test decryptions?
There is a mention on your page, upload a small encrypted file
Please perform the actions faster.Otherwise, we will change the negotiator, and make mentions of your company on the blog.
I know that your goal is to drag out negotiations as long as possible so that we get nervous and agree to a smaller amount. by asking dumb questions you are playing against yourself and risk getting blogged. the test decryptor window is to the left of the chat.
We are not trying to drag anything out. We have never dealt with anything like this before and I wanted to be sure. I will get my leadership team to give me some files.
you can say what you want, but we have a lot of experience and we understand everything. each machine has its own ID. for a successful transcription you need to take the file from your PC, with the ID you are logged into the chat! or go to the chat with the ID of the PC from which you take the file for test decryption
The decrypted file that you sent us looks corrupt. Can we send you another one.
You can follow the link to the chat from any PC, take the file from this PC and use the test decryption
We tried to do it on another PC. Your decrypt tester is not letting us upload any more files.
send the file, we will decrypt it for you. it should not be an important file, a picture or pdf
[REDACTED URL]
We've tried to attach more files in the chat but it wont work. Does this work for you?
ok, wait
File: [inetres.adm.7z]
Thank you for the file. I gave it to my leadership to review.
hurry up! very slow
My leadership said that they don't know what that file was that you sent and they wanted to send another one.
You sent us the file yourself. Okay. Send us another file
You will do the test yourself faster if you perform the action correctly.Your visiting this chat room once a day does not contribute to the solution.
Ok. We will find one and get back to you ASAP.
hurry up
Since all the names were changed on our files it is taking a long time making the appropriate selection.
It takes a maximum of 1 hour.We are well aware that you are a representative of the recovery company and want to earn yourself.But in fact you are damaging your clients and yourself as a negotiator
[REDACTED URL]
You have time to think about whether to drag out the negotiations further, or pay up and close the matter quietly.
I'm not part of a recovery company. We are trying to work with you. Once you publish our data there will be no point in talking with you. I will check with my team on the status of getting more sample files.
don't care! you won't scare us with this. you've been taking too long, whoever you are. your name will be published first, and then only your details. if you don't pay, others will pay. our patience is over
[REDACTED URL]
ok, wait
File: [Quality Management Coordinator 12.1.2017.pdf.7z]
when will you pay?!
My leadership is going to meet to discuss this.
Hurry up
The leadership meeting has been delayed due to something beyond our control. Thank you for your continued patience with us.
If you hope that by delaying negotiations you will lower the price, you are mistaken
I am not trying to delay negotiations. I have not heard back from the board yet.
it's time to pay
// Analysis
Analyst Observations
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.