// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Scohil

29Messages
17 daysDuration
$120.00Initial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Scohil. The negotiation consisted of 29 messages exchanged over 17 days, beginning on 2022-07-15.

The initial ransom demand was $120.00. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Scohil] — 15.07.2022 15:24:55 UTC — Message 1/29
[Chat started]
[Scohil] — 15.07.2022 15:30:21 UTC — Message 2/29
How much is it to decrypt my files
[Scohil] — 15.07.2022 17:16:08 UTC — Message 3/29
Hello?
[Scohil] — 15.07.2022 19:26:55 UTC — Message 4/29
I was just checking to see how to get my files back
[lockbit3.0] — 16.07.2022 01:23:55 UTC — Message 5/29
All operators are busy at the moment, please wait for an answer.
[lockbit3.0] — 16.07.2022 10:03:03 UTC — Message 6/29
Hello
[lockbit3.0] — 16.07.2022 10:03:16 UTC — Message 7/29
To decrypt your files and prevent us of destructive actions against your company you will need to pay $120 000 . We also have all your files.
[Scohil] — 16.07.2022 15:47:53 UTC — Message 8/29
One hundred and twenty thousand dollars?
[lockbit3.0] — 16.07.2022 15:49:04 UTC — Message 9/29
yes
[Scohil] — 16.07.2022 15:50:12 UTC — Message 10/29
There is no way my customer can pay that. That is an insurmountable ammount of money.
[lockbit3.0] — 16.07.2022 16:02:24 UTC — Message 11/29
We take into account your profits and the amount of work needed to encrypt your information, that's how the sum is calculated.
[lockbit3.0] — 16.07.2022 16:03:43 UTC — Message 12/29
What would you like to offer me?
[Scohil] — 16.07.2022 16:09:47 UTC — Message 13/29
Anymore than 8,000usd would bankrupt my company, and then I would lose everything anyway.
[lockbit3.0] — 16.07.2022 16:25:30 UTC — Message 14/29
Well, this isn't true. Even by public official data about your revenue it's obvious that you are capable of paying 120,000$. You may make your own offer about the price but it shouldn't differ from mine by a large sum.
[Scohil] — 21.07.2022 17:43:29 UTC — Message 15/29
Well I have some good news. There was a backup we found that you did not get to. So we will not need your services.
[lockbit3.0] — 21.07.2022 20:17:05 UTC — Message 16/29
We will sell your files.
[Scohil] — 21.07.2022 20:44:10 UTC — Message 17/29
You do not have my files
[lockbit3.0] — 21.07.2022 21:26:23 UTC — Message 18/29
Why are you telling me this information about another backup copy?
[lockbit3.0] — 21.07.2022 21:28:45 UTC — Message 19/29
You didn't even ask for proof about the files we have acquired. The information about an attack on your company will spread like wildfire on the Internet when we publish it. You will most likely pay a fine bigger than the sum we are asking for.
[Scohil] — 21.07.2022 21:33:08 UTC — Message 20/29
If you have the files then prove it.
[lockbit3.0] — 21.07.2022 21:38:21 UTC — Message 21/29
Ok. It will take some time. I will send you a list of files soon
[Scohil] — 21.07.2022 21:39:31 UTC — Message 22/29
a list a files is not proof of anything .. that just means you Looked at the files. the connection my customer has is complete crap and no way you transffered that many files off of their server... Proof would be showing me screen shots of the files you have
[lockbit3.0] — 21.07.2022 21:43:46 UTC — Message 23/29
Good. I will send you screenshots of several files.
[lockbit3.0] — 22.07.2022 09:52:25 UTC — Message 24/29
[REDACTED URL]
[lockbit3.0] — 22.07.2022 09:53:23 UTC — Message 25/29
[REDACTED URL]
[lockbit3.0] — 22.07.2022 09:54:15 UTC — Message 26/29
[REDACTED URL]
[lockbit3.0] — 22.07.2022 09:55:09 UTC — Message 27/29
[REDACTED URL]
[lockbit3.0] — 26.07.2022 14:35:12 UTC — Message 28/29
Have you made a decision?
[lockbit3.0] — 01.08.2022 16:27:28 UTC — Message 29/29
[REDACTED URL]
// Analysis

Analyst Observations

  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →