// Case Study: Ransomware Negotiation

Royal Mail vs LockBit 3.0: How a £66M Ransom Demand Was Refused

The complete negotiation transcript — verbatim. 34 days. 103 messages. The demand that was never paid.

£66MInitial Demand ($80M)
34Days of Negotiation
103Messages Exchanged
RefusedData Published
LockBit 3.0Threat Actor
// Background

What Happened

On 10 January 2023, LockBit 3.0 — then the world's most prolific ransomware group — successfully attacked Royal Mail's international distribution systems. The attack crippled Royal Mail International's ability to process overseas parcels and letters, causing immediate disruption to a service that handles millions of items daily.

Two days later, on 12 January, a Royal Mail representative connected to LockBit's encrypted negotiation portal on the dark web. What followed was one of the most extraordinary ransomware negotiations ever documented — 103 messages over 34 days, ending with a flat refusal and LockBit publishing both the stolen data and the entire transcript on 14 February 2023 — Valentine's Day.

LockBit's opening demand was $80 million — calculated as 0.5% of the parent company's annual revenue. But there was a critical error in their calculation: they had attacked Royal Mail International, a subsidiary of International Distribution Services (IDS), not the Royal Mail plc entity whose revenue figures they were using. Royal Mail International was, at the time, a loss-making subsidiary with significantly lower revenue than the parent group.

The Royal Mail negotiator exploited this distinction brilliantly, repeatedly explaining the corporate structure, citing publicly available financial reports showing losses, and framing the $80M demand as "absurd" relative to the actual entity that had been compromised. Meanwhile, the negotiator deployed a masterclass in delay tactics: citing board meetings over weekends, requesting decryptor verification for large files, raising questions about file integrity, and maintaining a tone that was simultaneously cooperative and immovable.

After 18 days, the board delivered its verdict through the negotiator: "Under no circumstances will we pay you the absurd amount of money you have demanded." The negotiations continued for another two weeks with LockBit reducing their ask, but Royal Mail had already made its decision. LockBit eventually published all stolen data and the full transcript, labelling Royal Mail as a failed negotiation and the negotiator as "a very clever negotiator" who needed to be replaced.

This case is widely considered one of the most successful non-payment negotiations in the public record. It demonstrated that even against the world's most aggressive ransomware group, a well-prepared negotiator with genuine arguments could refuse to pay — and survive.

£66M / $80MInitial Demand
34 daysNegotiation Duration
12.5%LockBit's Offered Discount
£0Amount Paid
// Analysis

Five Lessons from Royal Mail's Negotiation

What this transcript teaches every organisation about ransomware negotiation — whether you plan to pay or not.

1. Play the Subsidiary Card

Royal Mail brilliantly — and accurately — argued that LockBit had attacked Royal Mail International, not Royal Mail plc. The revenue figures LockBit was using were wrong. They'd calculated 0.5% of the parent company's revenue, which included UK domestic operations, GLS logistics in Europe, and other entities entirely unrelated to the compromised network.

This genuine distinction let the negotiator honestly push back on the $80M demand as completely disproportionate. When LockBit cited Wikipedia and TechCrunch articles about "Royal Mail," the negotiator calmly explained that Royal Mail International was a separate entity with its own Managing Director, its own financials, and crucially — its own losses.

Lesson: Know your corporate structure and be prepared to explain it clearly and accurately. If your attacker has miscalculated your revenue, that's your strongest card.

2. Use Delaying Tactics Without Lying

The Royal Mail negotiator was masterful at buying time — without once making a false statement. Citing weekend board meetings that genuinely needed to happen. Requesting file verification that legitimately needed to be done. Raising concerns about large file decryption that were technically valid.

Every delay was framed as the negotiator trying their best to work with LockBit, but being constrained by internal processes. LockBit eventually recognised this, stating: "You are a very clever negotiator, I appreciate your experience in stalling and bamboozling." Even after this acknowledgment, the delays continued successfully.

Lesson: Every day of delay is a day for recovery and decision-making. Frame delays as legitimate process requirements — because they usually are.

3. Humanise Your Position — Without Weakness

The negotiator repeatedly positioned themselves as caught between LockBit and a board that was hard to persuade: "I am trying to help our Senior Team understand this." This is a classic negotiation technique — creating the impression of an internal advocate who wants to help but faces resistance from above.

By humanising their position, the negotiator made LockBit feel like they had an ally inside Royal Mail — someone who would bring their case to the board. In reality, this technique created an additional layer of abstraction between LockBit and the actual decision-makers, making it impossible for LockBit to apply direct pressure.

Lesson: Make the threat actor feel like you're on their side, even when you're not moving. The "good cop" technique works even in ransomware negotiations.

4. Challenge the Decryptor Early

The question about whether the decryptor worked on large files — tied to a 6GB file associated with medical devices — was an excellent dual-purpose tactic. It served as both a legitimate due diligence requirement and a powerful stalling mechanism.

LockBit spent significant time addressing this concern, providing test decryptions, explaining their process, and even offering to re-encrypt and decrypt Royal Mail's own systems as proof. Each exchange added days to the timeline. The medical device angle also introduced a humanitarian dimension that made LockBit uncomfortable.

Lesson: Decryptor verification is both a due diligence requirement and a powerful stalling mechanism. Always challenge the decryptor's capabilities.

5. Know When the Answer Is No

Royal Mail had clearly determined early that they were not going to pay £66M. The entire negotiation was time-buying. The board's final message — "Under no circumstances will we pay you the absurd amount of money you have demanded" — came 18 days into talks, but the decision was almost certainly made within the first few days.

Knowing the answer was "no" from the outset gave every subsequent move clarity and purpose. The negotiator wasn't trying to reach a settlement — they were maximising recovery time, gathering intelligence about the threat actor, and building a comprehensive understanding of what data had been stolen.

Lesson: Deciding your walk-away position in advance lets every negotiation move serve a clear purpose. If the answer is no, use the time wisely.
// Primary Source

The Full Transcript — Verbatim

Published by LockBit 3.0 on 14 February 2023 after negotiations failed. The following is the complete transcript of 103 messages, reproduced verbatim from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[Royal Mail] — 12.01.2023 13:44:06 UTC — Message 1/103
[Chat started]
[Royal Mail] — 12.01.2023 13:44:19 UTC — Message 2/103
Hi. Did this work?
[LockBit 3.0] — 12.01.2023 13:46:44 UTC — Message 3/103
hi
[LockBit 3.0] — 12.01.2023 13:46:48 UTC — Message 4/103
i'm here
[LockBit 3.0] — 12.01.2023 13:47:01 UTC — Message 5/103
[REDACTED URL]
[LockBit 3.0] — 12.01.2023 13:47:07 UTC — Message 6/103
tree stolen data
[LockBit 3.0] — 12.01.2023 13:47:34 UTC — Message 7/103
password @fA@KM@YY(X2%Z%tbvHn%re2a
[Royal Mail] — 12.01.2023 13:47:40 UTC — Message 8/103
Now I am worried about the other link with data in the other chat. Is that link gone now? so no one sees it
[LockBit 3.0] — 12.01.2023 13:48:54 UTC — Message 9/103
If you have already downloaded it, it is no longer available
[Royal Mail] — 12.01.2023 13:49:09 UTC — Message 10/103
Thank you.
[Royal Mail] — 12.01.2023 13:49:28 UTC — Message 11/103
Is this showing all the data you have taken from us?
[LockBit 3.0] — 12.01.2023 13:49:41 UTC — Message 12/103
the link is not available, did you download the tree or download it again?
[LockBit 3.0] — 12.01.2023 13:50:05 UTC — Message 13/103
Yes, all stolen data
[Royal Mail] — 12.01.2023 13:50:15 UTC — Message 14/103
I did open it and download a file from it. Is that the data?
[LockBit 3.0] — 12.01.2023 13:51:04 UTC — Message 15/103
there was a tree of data stolen from us at the link. you can select some files, we will send them to you
[Royal Mail] — 12.01.2023 13:52:12 UTC — Message 16/103
I will open the file and show it to my management
[LockBit 3.0] — 12.01.2023 13:53:54 UTC — Message 17/103
Yes, don't delay. time is not playing in your favor. so far we have not reported the attack on our blog
[LockBit 3.0] — 12.01.2023 13:54:10 UTC — Message 18/103
to whom am I speaking?
[Royal Mail] — 12.01.2023 13:55:54 UTC — Message 19/103
I work in our IT. Our senior management have asked me to contact you as it said in your note
[LockBit 3.0] — 12.01.2023 14:14:34 UTC — Message 20/103
ok
[LockBit 3.0] — 12.01.2023 19:44:46 UTC — Message 21/103
what does management say?
[Royal Mail] — 13.01.2023 15:31:42 UTC — Message 22/103
Hi. I gave them the file. I am still waiting for them to come back to me.
[LockBit 3.0] — 13.01.2023 17:32:45 UTC — Message 23/103
ok. hurry up
[Royal Mail] — 13.01.2023 20:00:02 UTC — Message 24/103
We shall return to speak on Monday following the weekend and lengthy discussions with our internal stakeholders.
[LockBit 3.0] — 13.01.2023 20:56:51 UTC — Message 25/103
Try to spend them productively, and please us. our patience is not infinite
[LockBit 3.0] — 13.01.2023 20:58:19 UTC — Message 26/103
what can we expect by monday?
[Royal Mail] — 13.01.2023 20:58:47 UTC — Message 27/103
We will let you know
[LockBit 3.0] — 13.01.2023 20:59:18 UTC — Message 28/103
ok
[LockBit 3.0] — 16.01.2023 21:47:26 UTC — Message 29/103
Hello. We waited the time you asked for. Now it's time to pay.
[Royal Mail] — 17.01.2023 19:12:33 UTC — Message 30/103
Apologies for the delay as this is a lot for us to deal with. We shall get back to you tomorrow with some file names from your large list to request to see.
[Royal Mail] — 18.01.2023 17:16:04 UTC — Message 31/103
File: [requested_files.txt]
[Royal Mail] — 18.01.2023 17:16:27 UTC — Message 32/103
These are the files we would like to see that you have
[LockBit 3.0] — 18.01.2023 19:16:19 UTC — Message 33/103
[REDACTED URL]
[LockBit 3.0] — 18.01.2023 19:16:34 UTC — Message 34/103
pass pMjd07L82^VYVexJyF6etQZ31
[LockBit 3.0] — 20.01.2023 11:29:08 UTC — Message 35/103
Hello, it's time to pay.
[Royal Mail] — 20.01.2023 14:54:24 UTC — Message 36/103
What do we need to test your decryption ability with our files?
[LockBit 3.0] — 20.01.2023 19:30:05 UTC — Message 37/103
each machine has its own ID. In order to decrypt the file you need to take the file from one PC, and go to the chat with the ID of this PC. then the test decrypt will be successful
[Royal Mail] — 20.01.2023 20:07:52 UTC — Message 38/103
Okay, we'll see what we can do to identify the ID from each. Will come back to you.
[LockBit 3.0] — 20.01.2023 21:28:19 UTC — Message 39/103
Also you can send me 5-10 files, I will decrypt it for you
[LockBit 3.0] — 20.01.2023 21:28:36 UTC — Message 40/103
Use this sites File Share: lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion lockbitfilzhrvt6eya2lvnp7te4iifzmwybendqclgujqbzu3k4gaid.onion lockbitfilzu5e62fybhieutf6653cpv6wco7twgjtkqwdgubn4q5rad.onion
[Royal Mail] — 21.01.2023 04:00:32 UTC — Message 41/103
Think I did this right. Here's some files: [REDACTED URL]
[Royal Mail] — 21.01.2023 04:03:07 UTC — Message 42/103
I also have a 6 GB file that is very important. It's associated with medical devices that can't yet be shipped out because this file is locked. Please please if you can unlock this too it will help save lives. I don't know how to send it over
💡 Classic tactic: Appeal to human cost while simultaneously creating a verification task that buys days. The 6GB medical device file becomes both a humanitarian argument and a technical roadblock.
[LockBit 3.0] — 21.01.2023 13:12:02 UTC — Message 43/103
File: [1.png]
[LockBit 3.0] — 21.01.2023 13:12:08 UTC — Message 44/103
File: [2.png]
[LockBit 3.0] — 21.01.2023 13:12:15 UTC — Message 45/103
File: [3.png]
[LockBit 3.0] — 21.01.2023 13:12:49 UTC — Message 46/103
File: [smh_installer.log.7z]
[LockBit 3.0] — 21.01.2023 13:12:58 UTC — Message 47/103
File: [WindowsUpdate.log.7z]
[LockBit 3.0] — 21.01.2023 13:22:32 UTC — Message 48/103
You gave me valuable files that can help restore your systems without paying for a decryptor, so I only gave back some of your files, and screenshots of the valuable files.
[LockBit 3.0] — 21.01.2023 13:24:40 UTC — Message 49/103
About 6 gigabytes of data that will supposedly save someone's life, is it one file weighing 6 gigabytes, or is it many files weighing 6 gigabytes in total? Something tells me that you are bluffing and you are doing system recovery and want to get free decryption of critical files needed for recovery. Tell me in detail what the medical equipment is and what the 6 gigabyte files are.
[Royal Mail] — 21.01.2023 16:28:17 UTC — Message 50/103
There are 2 files that are a combined 6 gigabytes when compressed. You know how much of our data is encrypted and when you see the files, you will understand that they will not allow us to recover. We are only pressing this because of the medical concern and we do not believe that your intent is to hurt anyone.
[LockBit 3.0] — 21.01.2023 20:35:45 UTC — Message 51/103
What are these files? What is their function? What medical equipment are these files for? And what does the postal service have to do with medical software? Where is the logic?
[Royal Mail] — 22.01.2023 18:15:53 UTC — Message 52/103
We are not just a postal service. We handle both letters and parcels, where roughly 60% of our business is parcels - international export of global medical supplies, contribute to a significant element of that! These supplies include vital replacement equipment parts, COVID-19 test kits, prescription drugs etc. The files that we have provided should allow us to resume shipping some of this equipment, not only here in the UK, but globally as well. Our transportation of this medical equipment does play a vital role in ensuring that people in need are being helped by these products. Given that the files are renamed, we are making our best assumption that this is the right dataset, and we would greatly appreciate the assistance.
[LockBit 3.0] — 22.01.2023 18:39:32 UTC — Message 53/103
If you pretend that you do not believe that the decryptor really works, you can send me 10-20 other less important files, e.g. not related to virtualization systems and not containing RAM dumps, you can send me personal documents, photos, and many other things that do not help you without paying for my postpaid pentest services. If you were really worried about medical equipment, just pay for my work and get a decryptor within 5 minutes. You are making multi-billion dollar profits from your business and don't want to part with the money, don't you think that's odd? It's your greed that makes the people who are waiting for their packages suffer.
[Royal Mail] — 24.01.2023 12:51:35 UTC — Message 54/103
We are not pretending anything and apologise if it appears that way. It is just that my management have heard that your decryptor might not work on large files, that is why they asked and wanted to see if it did. I am trying to convince them to work with you here, they are just asking for more proof of what we will get from you. As you probably know, we are already a loss making company, so we are not gaining anything from dragging this out. There are several articles on Google about our financial situation and how bad it is currently.
[LockBit 3.0] — 24.01.2023 13:47:58 UTC — Message 55/103
You can send me other large files, I will decrypt for you those files that I think are not valuable, that way you can be sure that the decryptor works on large files. Your financial situation is fine, you have a multi-billion dollar turnover, and a huge profit, the sooner you pay, the sooner this whole nightmare will be over for you. If you continue to stretch time I will be forced to publish your information on the blog with an offer to change negotiators, thank you for your understanding.
[Royal Mail] — 25.01.2023 17:27:01 UTC — Message 56/103
We are collecting some larger files that are not valuable to provide you. It's important for us to understand these can be decrypted of course so we appreciate you providing that opportunity to us. Ahead of this, we haven't even heard from you what it is that you want.
[LockBit 3.0] — 25.01.2023 17:52:34 UTC — Message 57/103
I'm waiting for the next batch of files to be decrypted. We want as 0.5% of your revenue.
[Royal Mail] — 25.01.2023 17:55:27 UTC — Message 58/103
And how much is that?
[LockBit 3.0] — 25.01.2023 17:55:48 UTC — Message 59/103
How much your revenue?
[Royal Mail] — 25.01.2023 17:57:54 UTC — Message 60/103
All we have had is losses. Here, you can read about it yourself. [REDACTED URL] [REDACTED URL]
[LockBit 3.0] — 25.01.2023 18:05:40 UTC — Message 61/103
We understand you very well, we are all suffering from the global crisis and our income has fallen as much as yours, anyway you are hundreds of times richer than us. 0.5% of annual global turnover is much less than a 4% fine from your government.
[Royal Mail] — 25.01.2023 18:12:52 UTC — Message 62/103
Just name the amount already so we can let the leadership know.
[LockBit 3.0] — 25.01.2023 18:17:10 UTC — Message 63/103
$80 million is 0.5% of your revenue, $640 million is 4% of your revenue. We are asking 8 times less than your state. In addition to this price you get a decrypt of your data.
💡 Note: LockBit calculated 0.5% of Royal Mail plc's total revenue, not Royal Mail International — an entity with ~£800M turnover, not billions. The $80M demand was based on fundamentally wrong figures.
[Royal Mail] — 25.01.2023 18:28:24 UTC — Message 64/103
Do you really think the government doesn't already know about this? Even if they were to fine us, paying you or not does not change this.
[Royal Mail] — 25.01.2023 18:32:06 UTC — Message 65/103
We'll get you the files and we can continue these talks later.
[LockBit 3.0] — 25.01.2023 18:32:49 UTC — Message 66/103
As long as we haven't published any of your files, you can't be fined. If you can negotiate with us, the government will be left without your $640 million. It is much better for you to negotiate with us and continue your very successful business with a long history and impeccable reputation. I personally used the services of your company and was very satisfied. I wouldn't want you to suffer so much from the government.
[Royal Mail] — 25.01.2023 18:34:07 UTC — Message 67/103
Talk to you later
[LockBit 3.0] — 25.01.2023 18:34:15 UTC — Message 68/103
Ok
[Royal Mail] — 26.01.2023 19:35:54 UTC — Message 69/103
How do I give you these large files? They are larger than your 2GB limit
[LockBit 3.0] — 26.01.2023 19:46:40 UTC — Message 70/103
My internet does not allow me to download such huge files, my internet speed is 50 kilobytes per second, send me files up to 50-100 megabytes at most. At the same time I can offer you to do the following, I will create a build of the encryptor and give you together with the decryptor, you will encrypt any files on your virtual machine and this way you can check the successful decryption of files larger than 2 gigabytes.
[Royal Mail] — 26.01.2023 20:04:08 UTC — Message 71/103
Okay, I guess we can try that. We just want to have confidence your decryption tool will work on these large files
[LockBit 3.0] — 26.01.2023 20:11:35 UTC — Message 72/103
You don't have to worry, thousands of people have successfully decrypted their files for almost four years.
[Royal Mail] — 26.01.2023 20:12:23 UTC — Message 73/103
I believe you, but we need to see it ourselves before we can consider this
[LockBit 3.0] — 26.01.2023 20:17:33 UTC — Message 74/103
[REDACTED URL]
[LockBit 3.0] — 26.01.2023 20:18:51 UTC — Message 75/103
Encrypt any of your computers or virtual machines, any amount or amount of information. Write to me via a note and I will give you a decryptor in a new chat in which you will write to me.
[LockBit 3.0] — 26.01.2023 20:23:33 UTC — Message 76/103
To start the encryption, simply run the file as administrator.
[Royal Mail] — 26.01.2023 21:58:06 UTC — Message 77/103
There is still some confusion over who we are, you are basing your revenue on what is a holding company and not Royal Mail Group. IDS (International Distribution Services) have several companies that exist under that umbrella who are independent to each other. We are Royal Mail International who is a separate entity, with an entirely independent Managing Director and Senior Official. Our Company’s revenue is in decline, as we have tried to explain to you previously and Royal Mail International is the Company that is affected by your penetration testing. Our current financial turnover is expected to be 800 million. Based on your calculation for payment (0.5% of total revenue) this equals 4 million dollars. If there is any negotiation at this percentage level the starting figure needs to represent what I have just described. I am trying to help our Senior Team understand this and I am grateful that you have offered to help them see that your decryptor can work to restore our services, by offering to decrypt some larger files. We will have to accept what we have for now and will see if this is good enough for them or not..
💡 Analyst note: This is both accurate and tactically brilliant — reframing the entire demand basis. Royal Mail International was a separate, loss-making subsidiary. The negotiator uses a genuine corporate structure distinction to undermine the ransom calculation.
[LockBit 3.0] — 26.01.2023 23:41:08 UTC — Message 78/103
You're bluffing, 800 million is your net profit per year, so 80 million is not that much money for you.
[Royal Mail] — 27.01.2023 13:45:18 UTC — Message 79/103
What company are you looking at to get those numbers?
[LockBit 3.0] — 27.01.2023 19:40:56 UTC — Message 80/103
[REDACTED URL]
[LockBit 3.0] — 27.01.2023 19:41:15 UTC — Message 81/103
[REDACTED URL]
[LockBit 3.0] — 27.01.2023 19:41:37 UTC — Message 82/103
[REDACTED URL]&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAHuwwya8Vr_ETqomIFym90OHoOGvCLlLONYPwCbLmCiF19qs4A2x68Rge0ICtwVtRfnOeQIctYx5A0epfJT5t2u73JkDFGhBtrJFtpwWWlf3Y_Qbxtj8aL5TcfVxyrg_tvh7vJNNb3y9Ex0WXLu5iuj7visZOGG5yE8wufn912Bq
[Royal Mail] — 27.01.2023 23:20:22 UTC — Message 83/103
Trying to explain we are Royal Mail International, who is a separate entity, with an entirely independent Managing Director and Senior Official, and not "Royal Mail" as the overall entity. What you attacked is just a small portion and our revenue is not that of Royal Mail.
[Royal Mail] — 27.01.2023 23:21:48 UTC — Message 84/103
Anyways, time for bed. The board has meetings this weekend and we will not have anything new to speak about until Monday while they make their decision.
[LockBit 3.0] — 28.01.2023 01:33:39 UTC — Message 85/103
You are a very clever negotiator, I appreciate your experience in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client.
💡 A rare moment: The threat actor acknowledging the negotiator's skill. LockBit knew they were being managed. Despite this awareness, they couldn't break the negotiator's strategy.
[Royal Mail] — 28.01.2023 13:06:43 UTC — Message 86/103
Not here to deceive or bamboozle. Just being transparent about what we're doing. The board having meetings this weekend shows our seriousness. Please confirm you will wait for their decision on Monday
[LockBit 3.0] — 28.01.2023 16:25:17 UTC — Message 87/103
Your seriousness can consist only in a desire to pay 80 million dollars, all other promises of meetings of your management, which allegedly will be held, this is just a tactical move, increasing the time of negotiations calculated that I will be nervous and agree to a smaller amount of money that you will offer. I am ready to wait until Monday, I am sure that your directors have more than 100 million dollars on their personal cryptocurrency wallet, so it will not take much time to finish this nightmare.
[Royal Mail] — 30.01.2023 21:12:55 UTC — Message 88/103
As we informed you, we have a response from our board to provide you. Under no circumstances will we pay you the absurd amount of money you have demanded. We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.
💡 The walk-away. Delivered clearly, firmly, after 18 days of buying time. The board had made its decision before day 3. Everything between was tactical delay — and it worked.
[LockBit 3.0] — 31.01.2023 23:55:53 UTC — Message 89/103
If I did not want to make a deal with you, your data would have already been published and the decryptor deleted. I am not forcing you to prove anything, I just kindly asked, refusing to give me such simple information says that you do not intend to cooperate with me honestly and tell me the truth. We are not attacking critical infrastructure, your commercial mail company with dozens of similar competitors is not. If you believe the news that your management is releasing, your mail services are fully restored and you are functioning as you are, humanitarian and medical supplies will be successfully delivered by your competitors, you will just get a little less profit, because you are very greedy and don't want to pay for my services. I'm sure you could easily pay $80 million, your income allows you to do so. If you want a discount, then make a counter offer, we are here to have constructive negotiations, not for me to give you a discount after every bluff you make until you say I'm fine with getting a free decryptor and free removal of stolen information. Any specific offer you make will be considered. You have a chance to make me an adequate payment offer by consulting with your board of directors, whose salaries are in the hundreds of thousands of pounds, but that does not stop them from being very greedy and not making concrete proposals to save the reputation of your commercial company which has more reasonable competitors who have already paid us money and successfully continue to earn new excess profits billions of pounds. Good day gentlemen.
[Royal Mail] — 01.02.2023 21:41:07 UTC — Message 90/103
I am still trying to work with you here. I am trying to get the board to find a solution with you, but they have two major concerns. You haven't showed us that you could handle the large files, and your starting point here is way too high. We have told you who we are, and our numbers wouldn't at all justify the demand you have put forward. I am doing what I can to drive things forward on my end, but your demand is simply too high for the board to consider. If you can give me a lower starting point, I think I may be able to get the board to work with you. I really want to find a solution here, please help me do that.
[LockBit 3.0] — 01.02.2023 23:24:58 UTC — Message 91/103
I'm ready to help you, I want to make money just like you, you and I have the same motivation in the form of money, your task is to reduce the price as much as possible, my task is to get the maximum amount. I have shown you that I can handle large files, you can encrypt and decrypt any files you want, why haven't you done that until now? The price is based on a multi-billion dollar company's profits, it's not the case that a company making billions of dollars pays the same price as an ordinary company making tens of millions of dollars. The more profits a company makes, the higher the buyout price, that's the math, you and your board of directors should understand that. Out of respect for you, I'm willing to step up and give you a 12.5% discount.
[Royal Mail] — 02.02.2023 21:16:44 UTC — Message 92/103
Thank you for this. I appreciate you coming forward like this. I will bring this to my management and get back to you.
[LockBit 3.0] — 03.02.2023 10:14:28 UTC — Message 93/103
Ok.
[Royal Mail] — 03.02.2023 20:54:50 UTC — Message 94/103
I just want to let you know, that I am still waiting for a reply. My manager told me, that he is waiting to hear back from the board. He has promised me I’ll get an answer on Monday. I will let you know as soon as I hear anything.
[LockBit 3.0] — 03.02.2023 21:01:26 UTC — Message 95/103
Very long, the company from the UK paid on the second day after the attack because they care more about their business and reputation, strange that for you it is not so important, because you make a lot more money.
[Royal Mail] — 04.02.2023 13:26:31 UTC — Message 96/103
Maybe you didn't ask them for such a large amount. That would probably make it easier to pay quickly. My manager hasn't gotten an update from the board yet, can I check back in with you Monday?
[LockBit 3.0] — 04.02.2023 16:40:24 UTC — Message 97/103
Naturally, I asked them for a smaller amount, their revenue is 58 times less than yours, they earn money 58 times less than you, I always ask for a fair and adequate amount from each company, I do not ask for what the company can not pay. Why do you have such a long chain of middlemen? why can't you communicate directly with the director? I will wait until Monday, but I think it is time to end this case. The journalists are asking me why I haven't published your information while I ignore their questions, they really want to see your files.
[LockBit 3.0] — 06.02.2023 11:17:00 UTC — Message 98/103
You need pay.
[LockBit 3.0] — 06.02.2023 12:52:43 UTC — Message 99/103
[REDACTED URL]
[LockBit 3.0] — 06.02.2023 12:52:56 UTC — Message 100/103
You have 50 hours for payment.
[Royal Mail] — 06.02.2023 22:20:26 UTC — Message 101/103
I just want to let you know, that I am still waiting to hear back from my management. It is not a quick decision for them, and I can’t just tell the board to hurry up. To be honest with you I have heard that they might not want to pay you for this. In our perspective the files got leaked when you took them from our system, and paying you won’t undo that in any way. I will get back to you as soon as I have further news.
[LockBit 3.0] — 07.02.2023 03:42:02 UTC — Message 102/103
I just want to let you know that the data is ready to be published and the decryptor is ready to be deleted. You have had plenty of time to make your decision, your time is up.
[LockBit 3.0] — 09.02.2023 12:41:40 UTC — Message 103/103
Do you have any offer for me?
// Aftermath

What Happened Next

14 Feb 2023

LockBit published all stolen data on their leak site — on Valentine's Day. They also published the full negotiation transcript, adding commentary that Royal Mail needed "a new negotiator." The irony: publishing the transcript showcased exactly how skilled the negotiator actually was.

Feb–Mar 2023

Royal Mail continued operations with limited international service for several weeks. The disruption was significant but manageable. Critically, no ransom was paid — confirmed publicly by Royal Mail and widely reported.

2023

Royal Mail's negotiator was widely praised by cybersecurity experts. The transcript became required reading in incident response training programmes and was cited as a textbook example of how to handle a ransomware negotiation when payment is not an option.

Feb 2024

Operation Cronos — a joint law enforcement operation led by the NCA, FBI, and Europol — took down LockBit's infrastructure, arrested key affiliates, and effectively ended the group's operations. Exactly one year after the Royal Mail transcript was published.

// Expert Perspective

What Would a Professional Negotiator Have Added?

Royal Mail's negotiator performed excellently. But there are additional capabilities a specialist ransomware negotiation firm brings to every engagement:

Threat Actor Intelligence

LockBit's payment rate, average discount given, known bluffs, and historical behaviour patterns. Understanding whether a threat actor's deadline is genuine or theatrical changes the negotiation calculus entirely.

Sanctions Screening

Ensuring any potential payment would not violate OFAC (US), OFSI (UK), or EU sanctions regulations. This is a legal requirement that many organisations overlook in the heat of an incident.

Cryptocurrency Tracing

Assessing whether a payment could be tracked post-transaction and whether the receiving wallet has been flagged by law enforcement or exchanges.

Structured Decryptor Validation

A formal testing protocol rather than ad-hoc file testing — ensuring the decryptor works across file types, sizes, and operating systems before any payment decision is made.

Post-Negotiation Data Verification

Confirming, where possible, that published data was contained and assessing the realistic exposure from the data that was leaked.

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome. We bring threat actor intelligence, sanctions compliance, and negotiation expertise to every engagement.

⚡ Contact Us Now Our Negotiations Service →
// Related

Other Notable Transcripts

📄

Continental vs LockBit 3.0

37 messages — Major automotive supplier targeted

Read transcript →
📄

Entrust vs LockBit 3.0

29 messages — Cybersecurity firm breached

Read transcript →
📄

Samyang vs LockBit 3.0

237 messages — The longest LockBit negotiation

Read transcript →