// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — QSI-Q3

20Messages
4 daysDuration
UnknownInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with QSI-Q3. The negotiation consisted of 20 messages exchanged over 4 days, beginning on 2023-01-25.

The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[QSI-Q3] — 25.01.2023 09:57:20 UTC — Message 1/20
[Chat started]
[QSI-Q3] — 25.01.2023 10:02:39 UTC — Message 2/20
Good morning, you encrypted some of our machines.
[lockbit3.0] — 25.01.2023 11:52:59 UTC — Message 3/20
Hello, you pay - we give you decryptor.
[QSI-Q3] — 25.01.2023 11:53:24 UTC — Message 4/20
What about our data?
[lockbit3.0] — 25.01.2023 12:07:39 UTC — Message 5/20
after payment you will receive a decryptor and all copies of the data will be deleted from our servers
[QSI-Q3] — 25.01.2023 13:04:45 UTC — Message 6/20
what did you steal? and what amount of money are you looking for?
[lockbit3.0] — 25.01.2023 13:14:13 UTC — Message 7/20
we copy 30Gb data. file listing only after payment. Price for yoour company is 400k USD in Bitcoin or 380k USD in Monero
[QSI-Q3] — 25.01.2023 13:15:02 UTC — Message 8/20
Why would we believe you without any proof? At first you only mentioned teh decryptor.
[lockbit3.0] — 25.01.2023 13:21:50 UTC — Message 9/20
You think I didn't take anything from your network? Why do you need proof if your files are encrypted? Obviously, I took the files when I was a guest at your place.
[lockbit3.0] — 25.01.2023 13:22:30 UTC — Message 10/20
File: [1.png]
[lockbit3.0] — 25.01.2023 13:22:36 UTC — Message 11/20
File: [2.png]
[lockbit3.0] — 25.01.2023 13:22:49 UTC — Message 12/20
File: [3.png]
[lockbit3.0] — 25.01.2023 13:22:55 UTC — Message 13/20
File: [4.png]
[QSI-Q3] — 26.01.2023 15:37:32 UTC — Message 14/20
Ok we checked with the people who know that data. That is not critical. And I saw, that you deleted the decryptor, so you can't decrypt anymore?
[lockbit3.0] — 26.01.2023 16:23:28 UTC — Message 15/20
Decryptor will delete at - 2023-03-16 22:04:06
[lockbit3.0] — 26.01.2023 20:20:04 UTC — Message 16/20
Decryptor not deleted.
[QSI-Q3] — 27.01.2023 16:05:53 UTC — Message 17/20
Now it shows correctly. Thanks. So to be frank. The encryption is not really an issue. The lost data might be. However, as I said, the data above is not critical. Management will need something better.
[lockbit3.0] — 27.01.2023 17:27:36 UTC — Message 18/20
Ok, we will be prepare your database for public
[lockbit3.0] — 29.01.2023 13:49:33 UTC — Message 19/20
your data is huge. the screenshots above are examples of random files. but what will be critical for you - may be in the total volume of data. Are we going to negotiate further?
[lockbit3.0] — 29.01.2023 13:50:26 UTC — Message 20/20
[REDACTED URL]
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →