// Ransomware Negotiation Transcript

lockbit3.0 Ransomware Negotiation — Vitality Health Plan

73Messages
24 daysDuration
$1,000.0MInitial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a lockbit3.0 ransomware negotiation with Vitality Health Plan. The negotiation consisted of 73 messages exchanged over 24 days, beginning on 2022-09-16.

The initial ransom demand was $1,000.0M. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Vitality Health Plan] — 16.09.2022 22:22:18 UTC — Message 1/73
[Chat started]
[Vitality Health Plan] — 16.09.2022 22:22:35 UTC — Message 2/73
Hello
[Vitality Health Plan] — 16.09.2022 22:22:54 UTC — Message 3/73
we ahve seen a note on our systems asking to contact you
[Vitality Health Plan] — 16.09.2022 22:23:07 UTC — Message 4/73
how does this work?
[Vitality Health Plan] — 16.09.2022 22:23:35 UTC — Message 5/73
we are destroyed
[Vitality Health Plan] — 16.09.2022 22:29:23 UTC — Message 6/73
hello?
[lockbit3.0] — 16.09.2022 23:52:44 UTC — Message 7/73
hi
[lockbit3.0] — 16.09.2022 23:52:59 UTC — Message 8/73
to decrypt the data and avoid publication you need to pay us. we haven't published your name on our blog yet
[Vitality Health Plan] — 17.09.2022 02:47:53 UTC — Message 9/73
we think your page is not working properly, we tried 2 first links and it got stuck on the logo and 3 items flipping around all time after some 5 minutes loading
[Vitality Health Plan] — 17.09.2022 02:48:14 UTC — Message 10/73
is there some other way we canc omunicate?
[lockbit3.0] — 17.09.2022 02:48:19 UTC — Message 11/73
use mirrors, we under ddos
[Vitality Health Plan] — 17.09.2022 02:48:43 UTC — Message 12/73
and also, which data do you mean? can we know which data did you get from us?
[lockbit3.0] — 17.09.2022 02:48:57 UTC — Message 13/73
You can reach us at any of these links using a Tor browser: [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL] [REDACTED URL]
[Vitality Health Plan] — 17.09.2022 02:49:44 UTC — Message 14/73
now it looks like [REDACTED URL] its working
[Vitality Health Plan] — 17.09.2022 02:50:02 UTC — Message 15/73
thanks god
[Vitality Health Plan] — 17.09.2022 02:50:23 UTC — Message 16/73
well, tell me, what data do you mean?
[lockbit3.0] — 17.09.2022 02:50:54 UTC — Message 17/73
data from your network
[Vitality Health Plan] — 17.09.2022 02:51:22 UTC — Message 18/73
we have 150 computers
[Vitality Health Plan] — 17.09.2022 02:51:35 UTC — Message 19/73
which data? so I can tell the bosses
[lockbit3.0] — 17.09.2022 02:52:20 UTC — Message 20/73
we will give you this information after you pay the ransom
[Vitality Health Plan] — 17.09.2022 02:52:48 UTC — Message 21/73
we dont know how all this thing works yet, our tech group is scheduled to come early tomorrow
[Vitality Health Plan] — 17.09.2022 02:53:24 UTC — Message 22/73
if you tell us which data you got, we can say this on our meeting with our managers
[Vitality Health Plan] — 17.09.2022 03:23:06 UTC — Message 23/73
understand our position, our ability to pay will depend on what our IT staff says tomorrow and which folders/files we risk being published
[Vitality Health Plan] — 17.09.2022 03:23:57 UTC — Message 24/73
we are an small company which is already struggling to stand by, this has greatly affected our ability to give service to our customers
[lockbit3.0] — 17.09.2022 09:33:55 UTC — Message 25/73
we will soon send you a tree of stolen data
[Vitality Health Plan] — 17.09.2022 11:16:53 UTC — Message 26/73
ok
[lockbit3.0] — 17.09.2022 13:08:28 UTC — Message 27/73
[REDACTED URL]
[lockbit3.0] — 17.09.2022 13:15:49 UTC — Message 28/73
130k files, 122gb
[Vitality Health Plan] — 17.09.2022 19:40:43 UTC — Message 29/73
Ok, I will check with the team and get back to you
[Vitality Health Plan] — 17.09.2022 19:40:57 UTC — Message 30/73
how much money is this all going to cost us?
[Vitality Health Plan] — 17.09.2022 19:43:57 UTC — Message 31/73
can we see those files?
[Vitality Health Plan] — 17.09.2022 19:44:14 UTC — Message 32/73
\VITALITYHP\Vitality Health Plan\2019 Marketing Materials\Business Card [.] Biz Card Back.pdf Biz Card Front2-01.png [..] Biz Card Back2-01.png [redacted].pdf
[Vitality Health Plan] — 17.09.2022 19:44:57 UTC — Message 33/73
Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf Vitality_[redacted].pdf
[Vitality Health Plan] — 17.09.2022 19:45:09 UTC — Message 34/73
some of them, just to see that you really have the files
[lockbit3.0] — 17.09.2022 19:55:28 UTC — Message 35/73
We'll send you the files in a moment
[lockbit3.0] — 17.09.2022 19:57:17 UTC — Message 36/73
The price of decrypt and delete data 1.000.000$. we accept payment in BTC
[lockbit3.0] — 17.09.2022 20:12:44 UTC — Message 37/73
[REDACTED URL]
[Vitality Health Plan] — 17.09.2022 23:17:09 UTC — Message 38/73
1 million is absolutely out of range
[Vitality Health Plan] — 17.09.2022 23:19:37 UTC — Message 39/73
however, thanks for all the informationa nd files, we will have a meeting on monday morning and tell you something
[lockbit3.0] — 17.09.2022 23:24:23 UTC — Message 40/73
We studied your revenue data. we found information that the revenue is about $100 million. in addition, your site translates to the site of a large california company with $1 billion in revenue. based on this, the requested amount is quite real. pay and no one will ever know about the attack. we will return all your files and tell you about the attack, and delete your data from our servers forever. if you delay and do not negotiate actively, we will publish a post about you on our blog.
[lockbit3.0] — 17.09.2022 23:26:46 UTC — Message 41/73
[REDACTED URL]
[lockbit3.0] — 17.09.2022 23:27:13 UTC — Message 42/73
One company refused to pay the ransom. and suffered a lot. there is a lot of information about us on the internet. here is an example
[Vitality Health Plan] — 19.09.2022 22:11:38 UTC — Message 43/73
our revenue isnt even close to $100 million, $1 mimllion is too much
[Vitality Health Plan] — 19.09.2022 22:11:53 UTC — Message 44/73
bosses are willing to pay a much smaller sum
[Vitality Health Plan] — 19.09.2022 22:12:09 UTC — Message 45/73
given that we have backups and the data you took is not sensitve at all
[Vitality Health Plan] — 19.09.2022 22:12:20 UTC — Message 46/73
we know who you are, and we know you are at least reliable
[Vitality Health Plan] — 19.09.2022 22:12:40 UTC — Message 47/73
bosses said they can pay $100k without need for additional requests/meetings, think about it
[lockbit3.0] — 19.09.2022 22:15:03 UTC — Message 48/73
No, it's not enough!
[Vitality Health Plan] — 19.09.2022 22:19:05 UTC — Message 49/73
we have finance dept, with its own CEO and he is not willing to give more than that.
[lockbit3.0] — 19.09.2022 22:19:18 UTC — Message 50/73
we have your sensitive data, marketing data, financial data, passports, iti, transactions, and so on. so think about the damage that publishing data can do to you. think about the damage you will get.
[Vitality Health Plan] — 19.09.2022 22:19:34 UTC — Message 51/73
we can negotiate, but anything above that is going to require a lot of paperwork, meetings, approvals and so on
[Vitality Health Plan] — 19.09.2022 22:20:00 UTC — Message 52/73
yes, we know, thats why we are here trying to find a solution
[lockbit3.0] — 19.09.2022 22:21:17 UTC — Message 53/73
if you are not ready to pay more than 100k, you can leave the chat room and wait for the publication of your data
[Vitality Health Plan] — 19.09.2022 22:26:28 UTC — Message 54/73
100k is what we can pay now, 1 million we can never pay
[Vitality Health Plan] — 19.09.2022 22:26:50 UTC — Message 55/73
anything between, will take time
[lockbit3.0] — 19.09.2022 22:30:01 UTC — Message 56/73
for now, you have time to find money. but time will not last indefinitely. we need a deadline. if you drive unproductive talks, or don't come in for a chat, we will publish a post about your company on our blog. so far, we haven't done that
[lockbit3.0] — 19.09.2022 22:32:30 UTC — Message 57/73
We know exactly who you are. don't start talking about limiting finances and so on. we know who you are and how much you can pay. so we will stand our ground and take tough measures in case of disobedience
[Vitality Health Plan] — 26.09.2022 01:06:49 UTC — Message 58/73
you dont know who I am, otherwise you would not be here
[Vitality Health Plan] — 26.09.2022 01:07:33 UTC — Message 59/73
tell your boss I dont throw him to the dogs because I respect him, his brother and what they say
[Vitality Health Plan] — 26.09.2022 01:07:55 UTC — Message 60/73
I mean the real boss, not lockbitsupp
[Vitality Health Plan] — 26.09.2022 01:09:02 UTC — Message 61/73
good luck
[lockbit3.0] — 26.09.2022 09:48:02 UTC — Message 62/73
Put aside unnecessary talk. negotiate constructively.
[Vitality Health Plan] — 30.09.2022 01:00:33 UTC — Message 63/73
just tell your boss and his brother that I appreciate them, thats all
[Vitality Health Plan] — 30.09.2022 01:00:45 UTC — Message 64/73
tell lockbitsupp to send it to the real owners
[lockbit3.0] — 30.09.2022 16:14:11 UTC — Message 65/73
that doesn't make sense. why are you coming in here?
[Vitality Health Plan] — 04.10.2022 02:36:05 UTC — Message 66/73
your feud with the cats should be coming to an end, at least on the public domain
[Vitality Health Plan] — 04.10.2022 02:36:23 UTC — Message 67/73
what is the point of giving away so much information in front of everyone who wants to read xss?
[Vitality Health Plan] — 04.10.2022 02:36:43 UTC — Message 68/73
its good for none of you and very valuable for FEDs and their cheap dogs, researchers
[lockbit3.0] — 04.10.2022 11:03:59 UTC — Message 69/73
If you're not interested, leave the chat room and don't come in.
[Vitality Health Plan] — 09.10.2022 23:09:15 UTC — Message 70/73
nice honeypot that you locked
[Vitality Health Plan] — 09.10.2022 23:09:55 UTC — Message 71/73
well, not even locked beacuse you just ran your locker and left, backups where there and esxi too
[Vitality Health Plan] — 09.10.2022 23:10:27 UTC — Message 72/73
I will take your advice to not come back, take care my friend.
[lockbit3.0] — 10.10.2022 07:43:28 UTC — Message 73/73
bye
// Analysis

Analyst Observations

  • The initial demand of $1,000.0M places this in the upper tier of ransomware demands, typically reserved for large enterprises.
  • LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
  • LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

Contact Us Now Our Negotiations Service →