// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — PRE Flooring
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with PRE Flooring. The negotiation consisted of 17 messages exchanged over 4 days, beginning on 2022-07-22.
The initial ransom demand was $200.00. The victim refused to pay.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
Hello
Hello, our files have been encrypted. We would like to discuss getting a decryption key
Hello
To decrypt your files and prevent us of destructive actions against your company you will need to pay $200 000 . We also have all your files.
I will inform the management
ok
Domain controller password does not work now. Did you change that password
Yes. We will return all of the information after the payment.
Also, you will receive recommendations on how to improve the security of your network.
Management received a direct call to cell phone. Caller stated he was you. Stated ransom was $500K. Management spooked. Can't pay that much. Business is a small business. Is your group fragmented or something? Management doesn't know what to believe now.
How did the caller introduce himself? When was the call? How did the caller suggest to contact?
I was not part of the entire call and don't know how call introduced self. The call was around 4PM ET. He never suggested contact because management would not agree to any price since numbers so high. Advised management that this venue showed only proof of decrypt.
Management cannot pay anywhere close to 6 figures. Just not there to pay and have no insurance.
I will clarify all the information and answer you
The price for you is 200,000$. There will not be any extra payments or charges, that's the final sum. We always follow the said conditions, as it's crucial for our reputation. After you have paid the sum, we will provide you with a decryptor for all of your files and also delete the downloaded files from your network on our servers. You will also be provided with a full report on vulnerabilities within your network and given recommendations on increasing the safety of it. We guarantee that all the steps above will be fulfilled by us.
Have you made a decision?
// Analysis
Analyst Observations
- The victim explicitly refused to pay. This is a definitive outcome that typically results in data publication.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.