// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — Samyang
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with Samyang. The negotiation consisted of 237 messages exchanged over 280 days, beginning on 2022-07-28.
The initial ransom demand was $8.0M. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
hi bro i am krrc
About 15 servers. How much are they? EFDD05527F449763F18FB02B2C21837D
Hi, first you better to know where here to help our customers
Also we downloaded 2TB data from your network, we can share samples and proof
You can use trial decryptor to test your sample file
Proof = [REDACTED URL] : ASDNAKSDsah9802io13!@19ujioalls
What should I offer?
as we know your holding your price is 8M
give password
ASDNAKSDsah9802io13!@19ujioalls
8M?
yes, for decryptor and delete your data from our servers for ever
How many btc is 8m?
use google
now, almost 345,4
0.3btc?
what is you mean?
Is it 3.4btc?
not its 345
Approximately how much is it in btc?
345btc = 8.000.000
its you should pay
345btc???
yes, the price in dollar is important not in btc! your revenue is 1B dollar
you have Stock Symbol
according to your holding and financial data, its fair price and you can pay that
How many servers are there?
you mean on your network?
according to dsquery 10102
we know about your insurance too
server ip?
130.1.22.0/24 130.1.24.0/24 172.16.16.0/24 130.1.171.0/24
also 10.100 range
also \\130.1.24.42\ backup of OS
our locker try to lock all pc in network
I'm in a meeting with a customer. Hold on a minute, please.
tell your active hours in GMT time
we forgot to tell we downloaded all your staff's mailboxes (inbox,sentbox,draft,deleted)
[REDACTED URL] : SADNASDBikdiah891i
we have detected new price for you.
18M $
why 18M$?
why not?
This company is manufacturing. i Thinks 8m$ It's too much Finally, I want to recover about 15 servers. How much does it cost to recover only 15 servers?
price depends from revenue
18m$ very small price for you
you will lost much more if refuse pay
Can you tell me why 18m$? I need to get back to the client
because you big and rich company
have stock symbol
big company = big ransom, small company = small ransom
I don't think the client company will be able to pay that amount.
no problem simple restore backup and wait leak at our blog
[REDACTED URL]
I talked to the client. 18M dollars is too expensive If you adjust the amount, I think there will be room for negotiation.
85 Ransomware infected servers We only need 15 restoration, but I also think 18M$ is too expensive.
its no matter how many system locked, you are paying both decryptor and data leak prevent
what is your clients offer?
Wait a minute. I'll try
It's such an important decision Internal discussion is needed. I'll answer you tomorrow.
We can give discount if you pay quickly.
are you there?
yes
I got a call from a customer. The client company has been having a meeting since last night. However, as of now, it has not been concluded, so it is expected to be decided around Monday in three days. I think I can let you know on Monday.
The client says they don't know what information you're referring to as $1B in sales. My Client is an IT service company, so do you have any information about the company my client provides? Isn't it saying that sales are $1B? I'm also acting as an agent in the middle, so I don't know what they're discussing I don't know exactly what they’re discussing, and they just say that they need more time
They're bluffing.
Apparently the reputation of your company and the value of the stock on the stock exchange are of no value to your client since he is behaving this way.
What did we do? I don't know what you mean.
We are doing our best to negotiate in the middle. But the amount is so big that I don't know what to do with the customer. What we want is a price adjustment.
Is there absolutely no room for negotiation?
We negotiate with you, but you do not make any offers, but only bluff, how can we negotiate with you?
Your company's annual revenue is $10 billion, you're trying to lie to me that $18 million is a very large amount for you, it's not serious.
Okay. I'll try to convince our client as soon as possible
My client is not lying. There's something you need to know exactly
The company you hacked is an IT service company, and the information you have on the server is the customer’s(of my client) information.
The $10B Revenue you're talking about is the Revenue of customers(of my client).
you hacked my client’s revenue was $70M and the profit was $4M last year. The client you hacked cannot afford to pay $18M.
So the client confessed to the customer and is discussing the hacking. This complicated process delays the answer. You should understand this situation
I think the hacked IT service company will probably offer around $500,000 at the outset
The fact that we hacked your client's company through the IT company that serviced him does not mean that the ransom price should be less, your IT company is not interesting to us, we need the big fish, your client.
I fully understand that you need Big Fish.
Big fish is very angry with IT service company. Because IT service company was hacked and Big fish’s information was leaked, Big Fish is saying that IT Company should pay for everything. Also If this doesn't be solved, I heard that Big Fish will cut the deal with the IT company and fill a damage compensation lawsuit.
I will explain again because you still don't seem to understand the current situation clearly. My client is an IT service company. You hacked through this IT service company and had Big Fish's information.
I will explain again because you still don't seem to understand the current situation clearly. My client is an IT service company. You hacked through this IT service company and had Big Fish's information.
However, IT service company cannot afford to pay $18M, as I said before. In the previous conversation, I said that IT service company would pay $500,000. Bur now IT service company seem willing to pay up to $1,000,000 for resolution. And that's big amount(one-third of the client's one-year profit)
Please understand the above situation accurately and give me an answer.
I understand that your job as a negotiator is to get the ransom price as low as possible, you are a good negotiator, but in this case you are offering too small an amount for a very large company, the damage we can do to your client is absolutely incomparable to the amount you are offering. It doesn't matter who wins your lawsuit, we are now talking about saving a lot more in lost profits for your client, your client would be much better off paying us the ransom and then suing the IT company and recovering the damages. The company's stock could collapse so badly that your client would lose hundreds of millions of dollars instead of just $18 million. I appreciate the increase in buyout amount from your side and see it as a desire to make a good deal for both of us, but 1 million is absolutely not enough for a company with annual revenues of 10 billion dollars. At the same time to show respect to you as a brilliant negotiator I am ready to make a discount of 3 million dollars, in this way I am ready to completely remove all your stolen data, provide decryption keys, and forget about the fact that you have ever been attacked, our deal will be an absolute secret and no one will ever know about it. It's up to you.
The bottom line is that if you pay me 15 million dollars in 3 days, everyone will be happy.
With this level of hacking skills, you must be very smart and logical people. It seems that we need logical conversations, not emotional ones.
I understand that you reasonably present the required amount depending on the size of the company's revenue Bigfish's revenue is about $2B, not $10B And Big fish's profit is much less than this. The amount you ask for is a very difficult amount to pay for even Big fish. If you need to check Big Fish's sales and profits, you can check it right away by entering the stock site. If necessary, I will send financial statements disclosed on the securities site
I think negotiations can proceed only when the required amount is presented again. I look forward to a positive answer.
I am not emotional. I would be happy to see financial documents that you can show me.
I can't contact you because it's the weekend now. I will contact you on Monday.
Ok
I send you the sales volume of the big fish that I checked directly on the Google Securities site.
In terms of $, last year's sales volume is about $1.8B. The reason why you check the exact sales volume of Big fish is because I think it's to reasonably adjust the required amount.
File: [매출자료.png]
Where net profit?
Net Income last year was about $30M on a $ basis. And as you know, this year is worse because of the global economic downturn.
File: [매출자료2.png]
File: [매출자료2.png]
File: [매출자료2.png]
File: [매출자료2.png]
[REDACTED URL]
Image materials will be uploaded and automatically deleted. There is an image data in the URL above.
The image material is uploaded and automatically deleted. There is image data in the URL below. [REDACTED URL]
[REDACTED URL] Image materials will be uploaded and automatically deleted. There is an image data in the URL above.
send in this chat please in archive no more 1 mb
7z or zip or rar
Why does the written text get erased?
its slow tor
wait and all text will upload
[REDACTED URL] Image materials will be uploaded and automatically deleted. There is an image data in the URL above.
send in this chat, we not go to links
File: [매출자료2.png]
Here's the profit picture.
Ok
I need time for checking this info
Okay. Please check and adjust the price.
You're doing insider trading, so I can't give you a discount, it's a criminal offense for your management.
As a person who earns not entirely by legal means, I am sympathetic to the desire to make money, so I'm ready to keep this secret between us if you will not be greedy and give me 15 million.
Also, you are bluffing by understating your net income, your net income in March was $16 million and that is only one month, your stock is up 8% today, your business is booming, I think you should not be greedy, and be reasonable by making a deal with me.
The article was deleted again What should I do?
what you mean? send screenshot please
I not understand you
login in victim chat in 1 window
if you open 1 ID in two browser you may have problem
What does insider trading mean? Do you mean I cheat to take a lot of fees between you and Big Fish?
The post will continue to be deleted. Can I move the address of the site address?
Let's continue the conversation here [REDACTED URL]
Let's continue the conversation here [REDACTED URL]
Ok
I fix bug with chat, press F5 and you will see all message
ok check
What does insider trading mean? Do you mean I cheat to take a lot of fees between you and Big Fish?
Insider trading means that big fish are breaking the law and making money by dumping and dumping their stock on the exchange.
Your time to decide is coming to an end, we are beginning preparations to publish your 2 terabytes of corporate data on our blogs.
[REDACTED URL]
The correspondence between us will be as published as in this example.
[REDACTED URL]
Also, you should know that after all of your information is published, the price of redemption will double and will be 30 million dollars.
First of all, I am never lying about the financial figures of Big fish. And big fish says there is no problem with insider trading legally.
Big fish think that $10B in sales = $15M in payments. If the actual sales amount was $2B, it was naturally thought that negotiations would begin at a much lower amount. But you keep saying the same amount. And, my client has information on how much other companies with similar sales paid. Although I said the financial situation of the IT service company that has to pay the money actually and Big Fish's situation several times but you're asking for the same amount.
My client raised the payment to $1M --> $2M.
Other companies paid a lot more than you, the thing is that all reasonable companies always pay quietly and quickly and no one knows about what they paid, because our deal is kept absolutely secret, with a successful transaction absolutely all traces of negotiations and all company data is removed, no one can know about the real amounts of payments companies except me, for example recently the company from NASDAQ paid 70 million dollars and its annual turnover was only 6 billion dollars, so each company is unique and the amount of the ransom is assigned depending on the value of the data we possess.
In this case, your client's company earns more than $15 million in net profit every month, this is the information that is contained in public sources, but your client knows that this is not all of his income, there are certain income that he hides from the tax police. Let that remain our little secret.
I appreciate your client's generosity and the fact that he increased the amount to two million, but just so you understand it is such a paltry sum for him that he earns it in one day.
I doubt that the ratio of losing the company or a huge part of the stable income of the company is worth 1 day of work of the company, in my opinion it is at least stupid and not rational.
Your client as a businessman knows how to assess risks, and the cost/benefit ratio, the damage from our attack is guaranteed to be more costly than $15 million.
Due to the rules of good manners, I am ready to bargain and also reduce the price to 14 million dollars.
Of course you do things in secret. But ransomware victims share information among themselves. Big fish says the amount is too much because big fish heard there.
And, you keep talking about internal trading issues. Big fish says he doesn't know why you're talking about internal trading. Big fish wants you to give him more solid evidence that you have relevant information
And you said that the amount is determined by the value of the data you have. I don't know exactly what data you have (revealing only a few to us), but I think you're overestimating it. There is too much difference between the value of data you think and the value of data that Big fish thinks. This is the most important factor for you and Big Fish to talk about the price
And I think you researched the public source. The profit you're talking about is quarterly profit (three months), not one month.
13.500.000$ is the best we can do for you.
If your company's reputation isn't worth the money, we can't do the deal.
I'll deliver it to the customer. It's dinner time after work, so I think I'll contact you tomorrow morning
[REDACTED URL]
I think this article will help your client think with his head better. Atento was also very greedy, ended up paying many times more only not to us anymore.
After you sent $13.5M It is such an important decision that executives in the big fish are discussing it The amount itself is too big, and there are different opinions on how to pay that large amount. I will reply as soon as my client reach a conclusion.
Companies regularly pay us amounts and more, nothing unusual.
Overseas remittance through BTC exchange has become a big issue in Korea It has been expanded to the prosecution's investigation, and the entire coin transaction is being investigated. (LINK: www.seoul.co.kr/news/newsView.php?id=20220815015003&wlog_tag3)
So it's hard to transfer a large amount at once A small amount of money should be remitted first and the status should be watched to see if the prosecution notices.
We will now discuss how to trade. Because I need to make sure it's restored The entire remittance is difficult and will be traded little by little. I want to make a recovery transaction for 3 servers each. How much does it cost to recover three servers each? We should pay attention not only to data leakage but also to the prosecution's surveillance.
There is no technical possibility to decrypt only 3 servers, your company is encrypted with one key, if I give you a decryptor, then you decrypt absolutely all the computers in the network.
If you want to make a transaction between us, you will find the opportunity to buy cryptocurrency. A lot of individuals sell cryptocurrency, you can buy cryptocurrency for cash including, Korea is famous for its cryptomillionaires. If you want to make a transaction between us, you will find the opportunity to buy cryptocurrency. So many individuals sell cryptocurrency, you can buy cryptocurrency for cash including, Korea is famous for its crypto millionaires. Various companies around the world including even third world countries somehow managed to buy cryptocurrency, and you living in a country where every person has 3 higher education, in a country where the total mass of the population is the smartest people, can't handle it? I don't believe in such a thing?
No one can ever forbid the director of your company to buy any amount of cryptocurrency with his personal earned money. In addition, you can use the anonymous cryptocurrency Monero, transactions in this currency are not tracked in the blockchain and your prosecutor's office will never know anything.
The prosecutor's office will be much happier studying 2 terabytes of your data than some cryptocurrency transactions on the Internet.
I know that each server has an ID value. So I also know that split transactions are possible. You must verify that data recovery is possible on the server. We have to show the restored one to the customer. You should gain credibility by showing that it has been restored. So I want a split deal. $13,500,000 is a huge amount. It is difficult for customers to remit money at once, and they can remit money while watching data recovery. Please tell me how to do the split transaction
You are mistaken.
Id consists of 32 characters, the first 16 characters is part of the public key that encrypts your data, the second part consists of the second 16 characters is a random set of data that has nothing to do with encryption keys, the second 16 characters are needed to ensure that no one can get into our chat, so we achieve a private conversation.
If you are not sure if the decryptor works, you can collect 10-20 files from different computers, I will decrypt them for free.
But you will receive the universal decryptor only after paying the full amount.
If you are afraid to transfer the whole amount you can split it into several payments, for example make 7 payments to different wallets of 2 million dollars.
Payment can be made within a week, 1 day - 2 million, so you can pay less noticeably for your favorite procrustean.
Will you restore the db to the test? It is important to see that data is recovered one by one.
If it is not 3 pieces, I want to recover 5 pieces per ID.
I don't understand you.
Do you want to restore some very valuable file such as a database for a test? it is not possible. You can collect from the whole company not very valuable documents which are of no particular value, moreover after decrypting these files I will check their contents that they are of no value and only after that I will give them to you.
Can't we split it up and recover it little by little?
Of course not, then you would have no desire to pay the full amount, you are trying to deceive me and decipher the most important data
I want you to give me a suggestion. Is it possible to trade $500,000 at a time?
We have 2TB of data. If we don't keep our promise, I know you'll reopen and gossip about the data. If you spread the rumor, we will lose a lot of money due to stock price fluctuations. I need 2tb. Don't spread the word Therefore, we will do our best to keep our promise. 1. Don't spread it. 2. Delete 2tb after completion of transaction. 3. I request restoration little by little by little.
Yes, I don't mind going out of my way to help you keep our deal a secret from the police and prosecutors, they are always sticking their noses where they don't need to and want to collect more taxes. Moreover, you can divide the amount into any numbers, not necessarily an even value of 500 thousand or 1 million or 2 million, you can use a random number generator and make many random payments to many purses, for example to 1 purse you can send 563 thousand dollars, to 2 purse 435 thousand dollars, as convenient and safe for you.
You can be absolutely sure that your data is safe, all data will be destroyed, no one will ever know about our attack on you and that we had a deal, after I provide you with proof of removal of all your information and you decrypt all your data we will delete this chat room and you will continue to prosper and make hundreds of millions of dollars.
You are very lucky that you were attacked by us, we are the largest faction in the world and always take responsibility for their words, for us reputation is as important as for you. If we ever cheated even one person, no one would pay us in the future.
Then, how much do I have to tell you so that I can trade little by little?
I don't understand you.
Paraphrase, tell me more about what you want.
I want a recovery request by partitioning.
I told you that's not possible because then you wouldn't pay the full amount, you would decrypt critical files for you.
I can demonstrate that the decryptor works on a few dozen files taken from any computer in your network, this is enough to know that the decryptor works successfully.
We have 2TB of data. We need restoration and want to erase your data. So I'll close the deal. Please tell me how I can recover the data in installments.
We can remove data in installments, decryptor for the whole network only after paying the full amount.
I know. We will continue the recovery process to the end. I want to delete the data you have. But the customer can't believe it's working properly. You guys need to recover little by little. You have to pay little by little and recover normally to make an additional deposit.
No need to cheat, all files on the network are encrypted with the same locker, all of them are decrypted equally successfully.
If your client feels more comfortable, we can encrypt the test bench and then decrypt it in front of him.
Prepare your computer for the encryption and decryption test, I will give you two programs, one which encrypts and one which decrypts. Your client will make sure that everything works successfully and with peace of mind will pay us.
File: [encryptor.exe.7z]
encrypt any PC of your client or virtual machine, then write to new chat with new ID from test PC and I give you free decryptor for this PC
In this way your client will make sure that the decoder works and that there are no problems.
It doesn't matter that you can infect and treat it. It is important to restore our infected data to normal. And it is important to delete the data you have.
Yes, this will be done after payment.
You need to recover one ID each.
Do I look like a fool who will give you a decryptor for backups? stop this cycr.
What is a backup for decryptor? Are you saying that we can't recover by division?
I mean, I don't have a decryptor for the 1st id, either all id or nothing.
You can check this on a test computer, encrypt several computers, I will give you a decryptor for 1 computer but with it you can decrypt all computers.
Your time is running out, we are starting to upload your data to the blog for publication.
If you want to stop publishing, make a payment of $13,500,000 to this bitcoin wallet bc1qnhgmuz5kdjn5rqjhayn9n8e8lvumjjpnnjdczz
With the program you sent me, I organized an environment for encryption and decryption and I am conducting a test.
How much time you need?
The server has been in error for 5 days. The conversation has been sent to the current test file. Please check the chat window.
File: [DECRYPTOR(LB BLACK) [735CE278DEF3F2F130C32518DD8D63CA].zip]
This is decryptor for test
[REDACTED URL]
[REDACTED URL]
If you do not pay the ransom in the near future, you will be treated in the same way by greedy companies.
The current Lockbit homepage keeps getting errors. Test recovery is currently in progress. Hold on a minute, please.
Minute?
We started a DDoS attack on your site.
Any news or we can publish your 2tb ?
?
[empty message]
[empty message]
..
................
.............................
..................................
.............................
.............................__
?
[empty message]
[empty message]
.
..
// Analysis
Analyst Observations
- This is an unusually long negotiation, suggesting extended back-and-forth and significant engagement from both parties.
- The initial demand of $8.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.