// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Plastic Products Company
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Plastic Products Company. The negotiation consisted of 28 messages exchanged over 15 days, beginning on 2023-03-05.
The initial ransom demand was $6.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
Hello. I've never done this so I'm sorry if I don't have all the information you need up front. But the ransom note said I'm supposed to contact you.
Hello, you need pay.
I've never used bitcoin before so I'm following tutorials to get it set up. I'm doing my best.
Also we downloaded a lot of information from you.And so far we haven't published anything.There is no mention of an attack.
You need to pay 6000000$
Oh wow, I don't know if we have that much money available. Can I see the information you took?
Ok.wait
[REDACTED URL]
Thank you. I'm getting a file to prove decryption works.
ok
The first time we sent you an incomplete tree. In the next message there is a link to the full tree
Download link: [REDACTED URL]
Password: Ak%xTarylM0r*jV7$qWdGs3$T
Thank you
Use the test decryptor to verify the decryption. Use it correctly. Take the file from the pc with the ID of which you logged into the chat
Ok my boss is concerned since there's no way to tell what file we're decrypting that you could just send us some fake file back and claim the decryption worked.
You know your network, your data, how is it that you can't tell? Besides, the test decryptor works in automatic mode, without my involvement
when wiil you pay?
My engineers are working on finding a small enough file that they'll be able to confirm decryption for. I'm also working with my leadership on the financial side. We're doing our best but $6M is a lot of money.
It's a small amount of your revenue. You can afford it. If you need time to prepare the amount, we'll give it to you, but you have to set a deadline. Our reputation and our name speaks for us, we can send you any number of files from the tree we sent you. And we can decrypt all the files we encrypted. And after payment, you'll get information about how we penetrated your network.
We found a file that we should be able to confirm the content with that match your requirements. I'm just waiting for the engineer to send it to me. I'll have an update from my leadership for you soon as well.
ok
You are very slow. Your name will now appear on the blog
[REDACTED URL]
I'm sorry I'm doing my best. My leadership is working with lawyers and all of that is extremely slow.
Now you will try to negotiate faster. After all, the timer is running. More than a week has been wasted
when will you pay?
// Analysis
Analyst Observations
- The initial demand of $6.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.