// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Nicklaus Children's Hospital
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Nicklaus Children's Hospital. The negotiation consisted of 43 messages exchanged over 23 days, beginning on 2023-01-17.
The initial ransom demand was $7.0M. The victim refused to pay.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
Hi.
Hello, I'm wondering if anyone is available to assist? Thanks.
Hello
How I can help you?
Hi, my company's computer network was affected by a virus. There was a note that instructed we reach out to you. I was asked by my employer to find out from you if you have taken any data from our systems? And anything you can share about next steps would be helpful. Thank you.
You pay - we decrypt your network.
"Your data are stolen and encrypted" -- is this not the case?
You pay - we decrypt your network and delete your data.
Do you have a list of the data?
You will receive a complete list of the stolen data only after you pay the ransom.
File: [07-15-22 master control - brands 1099.pdf]
File: [10-30-22 stat summary - gbi svc 1099.pdf]
File: [12-30-22c checks - jj.pdf]
File: [2021 K-1 - JWNII Living Tr - Nicklaus DC Invest.pdf]
File: [Jim Schnare with Passport.jpg]
Ok, thank you. What/how do we pay you?
$7,000,000 in bitcoin, or $6,900,000 in monero
You're asking for 7 million dollars for this?
You are a very famous brand, it is a very good price not to ruin the reputation of the Golden Bear, why your director at 82 years old hundreds of millions of dollars? he will not have time to spend them the rest of his life anyway, so 7 million dollars is a very fair price so that no one will ever know about our attack.
Good morning. I have passed on your messages to my bosses. They will be discussing with the board this weekend or early next weekend. I will get back to you then. Thanks.
Ok.
Hello. It looks like my bosses have some meetings scheduled for today to discuss this. They are asking how many files you took from our systems?
You will receive a complete list of the stolen data only after you pay the ransom.
Do you have the total size you can share with me? I'd like to give my bosses some information that may be helpful in making their decision. Thanks.
More than 200 gigabytes of data.
Good morning. My bosses have meetings with partners this morning. Once I have some information, I will let you know. Thanks.
Ok.
Hello, sorry for the delay. I've been following up with my bosses for some updated information. At this point, I've been told that we don't have anywhere close to 7 million dollars. My bosses are asking what you will do with the data after we pay? Thanks.
Advise your bosses not to be greedy, we know you have money, we own your documents, the richest people on the planet play in your clubs and nothing is more important than your reputation. In case you can overcome the greed of your bosses we will permanently delete all the stolen information and this chat room, no one will ever know about our attack on your company.
You need pay.
Hello. Sorry for the delay. I have been talking to my bosses to get to a resolution.
My bosses wants me to communicate some things to you sir. Your ask for 7 million is much too high and we cannot pay this. Most of the reputation damage is already done to us just by the fact that you came into our network and took our data. The non-publication of the data is a very small part of the total damage. Our lawyers have forced us to notify our employees and customers of the breach and we already lost some business relationships as a result. We also do not have the funds to support the asking price anyway because we are spending a lot of money recovering from the breach.
To honor our stakeholders, we are willing to pay you something — not 7 mil. Can you please consider a lower amount. Thanks.
Make your offer.
I have a meeting in 1 hour with my bosses and lawyers and will get back to you right after.
My bosses said a reporter reached out and told them that our data is already published?
[REDACTED URL]
At the moment only your company name is published, but very soon all of your information will be published if you do not pay, you have little time left. Only 48 hours to pay.
Ah ok. Only 48 hours? I thought it said Feb 21?
[Chat started] 17.01.2023 16:11:13 UTC
I just want to let you know that the data is ready to be published and the decryptor is ready to be deleted. You have had plenty of time to make your decision, your time is up.
Do you have any offer for me?
// Analysis
Analyst Observations
- The initial demand of $7.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
- The victim explicitly refused to pay. This is a definitive outcome that typically results in data publication.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.