// Ransomware Negotiation Transcript
lockbit3.0 Ransomware Negotiation — WCI
// Context
About This Negotiation
This transcript documents a lockbit3.0 ransomware negotiation with WCI. The negotiation consisted of 34 messages exchanged over 19 days, beginning on 2023-02-17.
The initial ransom demand was Unknown. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Chat started]
hi. to decrypt the data and avoid publication you need to pay us.
We got notice that our name and screenshots of some of our data were posted to your TOR darknet site. We are interested in learning more about this situation. Have you sold the data?
soon we will send you a tree of stolen data
we did not sell your data. we will publish it for free
ok, has the data been sold yet? How much data do you have?
We'll send you the tree now, wait for it.
ok
124gb - confidential files, financial reports, hr, passports
Download link: [REDACTED URL]
Password: B@N$m@piDSvsErZQc(XEEuy6c
Thank you. We will take a look. I'm having a hard time getting into you Tor chat. It keeps timing out.
I and other companies have no complaints. try restarting TOR or using other links from the note
Hi, what's the news?
My leadership assessing the value of the data. How much to keep it from being published?
1,500,000$ USD
That seems a little excessive to me, but I'll pass it on to my leadership.
If you pay quickly, we'll give you a discount.
While we're negotiating we've paused the timer and hidden you from the blog
What kind of discount?
If you pay within 48 hours, we will give you a 30% discount
I'll pass that along to leadership.
Ok
what news?
Leadership is still evaluating the data and deciding on if it's important enough to pay you. How would we know for sure if you deleted all our data? Or not sold it?
We do not sell data, without publication. And most importantly - our reputation.
it's time to pay
Considering the data you took it is not worth $1.5M to us, nor will you be able to sell the data for even a fraction of that amount on the dark web, what is the least amount you will consider for payment?
We are not talking about selling your data. we will put it on our blog for free for everyone if you do not pay. you are negotiating for a very long time, and this will not play into your hands. we know that you are specifically delaying negotiations so that we agree to a lower amount. on the contrary, if you pay quickly we can give you a discount for speed.
What is the discount?
we are ready to give you a 30% discount on a quickly payment
Our data is not worth $1M to you or us, but I'll take it to leadship because I'm just the messenger. It will be Monday before I will be able to get back to you. The leadership team will not be around this weekend.
I think you'll understand how much your data is worth after it's published. When you incur reputational losses, fines from the state, courts and others. You will lose even more money than we are asking for. For your company, with multimillion-dollar revenues, paying that amount and forgetting about it won't be a big deal. I'm sure your boss has much more money in his personal cryptocurrency account
when wiil you pay?
// Analysis
Analyst Observations
- LockBit 3.0 was the most prolific ransomware group of 2022-2023, responsible for more attacks than any other group. Their infrastructure was taken down by Operation Cronos in February 2024.
- → LockBit 3.0 threat actor profile — TTPs, ransom demands, and active campaigns.