Inside LockBit 3.0: The Big Fish Gamble Behind a Supply Chain Breach
Today, we unpack a ransomware negotiation that doesn’t just reveal criminal sophistication—it exposes the fragile dependencies in modern digital supply chains. This isn’t theory. It’s based on actual chat logs with LockBit 3.0. The stakes? A demanded $18 million ransom, two terabytes of stolen data, and one IT provider caught between a gang of extortionists and their furious billion-dollar client.
The Setup: Initial Impact vs. Actual Reach
At first, it seemed manageable—fifteen servers locked up. But LockBit was quick to correct the record: eighty-five servers encrypted and two terabytes of data exfiltrated. That data wasn’t just junk. It included detailed knowledge of the internal network, backup systems, and IP ranges. The attackers had clearly done their homework.
Then came the opener:
“Your price is $8 million.”
And if the IT firm didn’t pay?
Public leaks. Reputation damage. Compliance chaos. You know the drill.
The Surge: Anchoring High, Climbing Higher
Classic psychological playbook. Before any concessions, LockBit increased the demand to $18 million. Why?
“Because you big and rich company.”
Anchoring bias weaponized. They believed they'd breached a billion-dollar enterprise—and acted accordingly. Even after the victim tried to clarify their size, the attackers insisted: big company, big price.
The Twist: A Supply Chain Bombshell
Here’s where the story pivots.
The victim wasn’t the billion-dollar entity LockBit thought. They were an IT provider. The real crown jewels—the data—belonged to their client.
“The company you hacked is an IT service company… the information you have is the customers of my client.”
That changed everything. Or did it?
LockBit acknowledged the shift—but held firm. To them, the IT provider was simply the access point. The data’s value hadn’t changed. Neither had the price.
“You hacked my clients. Revenue was $70m. Profit was $4m.”
But LockBit didn’t budge. They weren’t charging for impact—they were charging for leverage.
The Big Fish: Pressure, Power, and Perception
LockBit’s target wasn’t the IT company they breached—it was the much larger entity downstream. Early in the negotiation, the attackers set the tone with a blunt dismissal:
“Your IT company is not interesting to us. We need the big fish, your client.”
This wasn’t a random escalation. It was a calculated psychological tactic—intimidation laced with authority claiming. By shifting attention to the "big fish," they made clear that the IT firm was merely a means to an end. The value of the ransom, they insisted, was derived from the worth of the data, not the breached party’s ability to pay.
“The fact that we hacked your client's company through the IT company that serviced him does not mean that the ransom price should be less.”
Faced with this framing, the victim tried to appeal to logic and empathy:
“I fully understand that you need Big Fish.”
They explained that the massive ransom couldn't be paid by the IT company alone—and that the fallout with their client was already catastrophic:
“Big Fish is very angry with IT service company. Because IT service company was hacked and Big Fish’s information was leaked, Big Fish is saying that IT Company should pay for everything.”
“If this doesn't be solved, I heard that Big Fish will cut the deal with the IT company and file a damage compensation lawsuit.”
As negotiations dragged on, the IT provider made repeated efforts to reframe expectations,presenting updated financial figures in the hope that practicality would win out:
“Big fish’s revenue is about $2B, not $10B. And Big Fish’s profit is much less than this… If necessary, I will send financial statements disclosed on the securities site.”
They emphasized the economic impracticality of the demand:
“The amount you ask for is a very difficult amount to pay for even Big Fish.”
Even as they tried to show transparency and good faith, LockBit dismissed their arguments as lowballing:
“You bluff. Your stock is up 8% today.”
Later, the victim compared other companies’ payment benchmarks to justify a lower offer:
“Big Fish says the amount is too much because Big Fish heard there. Ransomware victims share information among themselves.”
Still, LockBit stuck to their original evaluation:
“Each company is unique and the amount of the ransom is assigned depending on the value of the data we possess.”
This repeated use of data valuation as a hardline anchor—combined with refusal to acknowledge third-party complexity—left the IT provider squeezed from both ends. The attacker would not reduce the demand, and the client would not pay it. All the while, the "Big Fish" was becoming more vocal and skeptical.
“Big Fish wants you to give him more solid evidence that you have relevant information.”
“There is too much difference between the value of data you think and the value that Big Fish thinks.”
“This is the most important factor for you and Big Fish to talk about the price.”
Ultimately, the discussion reached a point where even Big Fish’s executives were involved—but far from committed:
“It is such an important decision that executives in the Big Fish are discussing it. The amount itself is too big, and there are different opinions on how to pay that large amount.”
LockBit had aimed for the whale, but their net caught the wrong fish. And both sides were left trying to renegotiate the price of misidentification.
The Fallout: Between a Gang and a Hard Place
Things got ugly.
The IT firm’s client was furious—threatening lawsuits and termination.
“Big Fish is very angry… will cut the deal and file damage compensation lawsuit.”
Caught in the middle, the IT firm floated a new reality: maybe they could come up with $500k to $1M. Still light-years away from LockBit’s $13.5M “bottom line.”
Meanwhile, operational hurdles piled on. Bitcoin transfers from Korea faced government scrutiny. The victim couldn’t even send the money easily.
LockBit adjusted—a bit.
They allowed split payments. But no split decryption. One master key controlled the entire system. No technical workaround.
The Pressure: DDoS, Deadlines, and Data Leaks
As negotiations dragged, LockBit turned up the heat:
- DDoS attacks launched.
- Data leak previews shared.
- Time-is-running-out messages began.
Even as the victim tried a test decryption, the chats became occasional. Communication broke down. We never see a clean resolution.
The Takeaways: Beyond the Encryption
This case is more than a digital stick-up. It’s a forensic look into how ransomware groups operate—and how third-party risk explodes during an incident.
Psychological Warfare
From bluff accusations to threat escalation, LockBit played every psychological card in the deck.
Technical Tactics: Encryption and Data Exfiltration
The technical aspects revealed in the chat are noteworthy. LockBit 3.0 demonstrated a calculated approach by leveraging cryptographic techniques to ensure all data was encrypted under a single key, which complicated negotiations around partial decryption. The rationale was to prevent victims from securing only critical data:
"If I give you a decryptor, then you decrypt absolutely all the computers in the network."
Thus, it was imperative for the victim to assure a full payment in exchange for complete data restoration, locking them into attempting to negotiate terms that would alleviate both the immediate threat of data exposure and the need for financial resources to secure their release.There was no technical way to decrypt incrementally.
The Supply Chain is the Attack Surface
This wasn’t just an attack on an IT provider. It was an attack through an IT provider.
The Payment Isn’t Just Money
It’s logistics, legalities, and national regulations. Even if you want to pay, you might not be able to.
The Question: Who Should Pay?
If a breach at your vendor leads to your data being stolen, who foots the bill? The service provider? The client? Shared responsibility? There’s no easy answer
Conclusion
The LockBit 3.0 case reveals the chaos that erupts when criminal calculation meets organizational misalignment. A ransomware gang anchored its demands to the value of stolen data, while the breached party—an IT provider—had difficulty resolving that with its limited role and resources. Meanwhile, the true data owner, the “Big Fish,” distanced itself from the fallout, refusing to absorb the financial shock. This created a negotiation triangle full of miscommunication, power struggles, and unresolved tensions. What emerges is not just a story of extortion, but a stark warning about supply chain risk, the limits of control in third-party relationships, and the growing sophistication of ransomware tactics. In today’s interconnected ecosystem, your vendor’s failure might just become your million-dollar problem.