“We Know Exactly Who You Are”: When LockBit Gets Personal
Some ransomware negotiations feel like business deals. This one feels like an interrogation. From the first minutes, LockBit leans not only on data theft and downtime, but on something more unsettling: “we know exactly who you are” and “we will take tough measures in case of disobedience.” The victim tries to stay calm, pushes back on revenue assumptions, and even calls out LockBit’s internal drama.
“We Think Your Page Is Not Working Properly”
The chat opens with confusion, not threats. The victim’s first problem is not the ransom; it’s the portal.
“we think your page is not working properly, we tried 2 first links and it got stuck on the logo and 3 items flipping around all time…”
LockBit blames DDoS and responds with a list of onion mirrors. The victim eventually confirms that one link is working and, almost with relief, thanks them: “thanks god.”
This moment captures a strange reality of ransomware: victims end up debugging the attacker’s infrastructure just to start the negotiation. They are locked out of their systems, yet still reliant on the criminals’ uptime.
“We Have 150 Computers”
Once communication stabilizes, the victim looks for scope. They do not start with money; they start with impact.
“and also, which data do you mean? can we know which data did you get from us?”
“we have 150 computers”
LockBit gives almost nothing at first: “data from your network.” When the victim asks more concretely; “which data? so I can tell the bosses”; they get the classic double-extortion dodge:
“we will give you this information after you pay the ransom.”
The victim pushes back, explaining they need details for the internal meeting, and that ability to pay depends on “which folders/files we risk being published.” This is a rational position, but LockBit holds the cards.
130k Files, 122GB, $1,000,000 in BTC
After some pressure, LockBit finally reveals the scale of exfiltration:
“130k files, 122gb”
They send a tree of stolen data and a sample archive so the victim can verify it. Then comes the anchor:
“The price of decrypt and delete data 1.000.000$. we accept payment in BTC”
The victim responds plainly: “1 million is absolutely out of range.” Still, they stay polite, thank LockBit for the information and files, and say they will discuss with management.
LockBit counters with “research.” They claim to have studied revenue data and even tie the victim’s site to a larger California company:
“We studied your revenue data… revenue is about $100 million… your site translates to the site of a large california company with $1 billion in revenue. based on this, the requested amount is quite real.”
They support their case by linking a public article about another LockBit victim facing $42 million in costs, using fear and precedent as leverage.
“We Know Who You Are, and We Know You Are at Least Reliable”
The victim challenges LockBit’s assumptions: their revenue is not close to $100 million, the data taken is “not sensitive at all,” and they have backups. Still, they acknowledge reality:
“we know who you are, and we know you are at least reliable”
It’s a chilling line. “Reliable” here means: they usually deliver a decryptor and honor deletion promises if paid. The victim uses that reliability to frame a counter-offer: $100k, approved internally without extra meetings.
LockBit snaps back: “No, it’s not enough!” and escalates the risk:
“we have your sensitive data, marketing data, financial data, passports, iti, transactions, and so on. so think about the damage that publishing data can do to you.”
This is classic double extortion: raise the stakes around data sensitivity and reputational ruin.
“If You Are Not Ready to Pay More Than 100k…”
The victim underscores constraints: finance has its own CEO, anything above $100k triggers “a lot of paperwork, meetings, approvals and so on.” They are negotiating not just with criminals, but with their own governance.
LockBit draws a hard line:
“if you are not ready to pay more than 100k, you can leave the chat room and wait for the publication of your data”
They add a time pressure mechanism; there is “time to find money,” but “time will not last indefinitely,” and lack of “active” negotiation will lead to a blog post. The goal is to turn internal process into a liability.
“We Know Exactly Who You Are”
At this point, LockBit drops the most aggressive psychological play:
“We know exactly who you are. don’t start talking about limiting finances and so on. we know who you are and how much you can pay. so we will stand our ground and take tough measures in case of disobedience”
This is more than threat; it’s an attempt to erase the victim’s narrative. Any talk of budget, governance, or hardship is dismissed as fiction because LockBit claims superior intelligence.
The victim hits back:
“you dont know who I am, otherwise you would not be here”
It’s a mild insult: if LockBit truly knew everything, they wouldn’t have targeted this environment; or at least wouldn’t be arguing over their own misread of the victim’s financial reality.
“Tell Your Boss I Don’t Throw Him to the Dogs”
In a surprising turn, the victim shifts from bargaining to meta-commentary about LockBit itself:
“tell your boss I dont throw him to the dogs because I respect him, his brother and what they say
I mean the real boss, not lockbitsupp”
They reference internal LockBit politics, hinting they follow the group’s drama and leadership disputes on public forums. Then they add a farewell:
“good luck”
LockBit tries to regain control: “Put aside unnecessary talk. negotiate constructively.” But the negotiation has clearly shifted. The victim continues:
“just tell your boss and his brother that I appreciate them, thats all
tell lockbitsupp to send it to the real owners”
The attacker is confused: “that doesn’t make sense. why are you coming in here?”
“Your Feud with the Cats Should Be Coming to an End”
The victim then openly criticizes LockBit’s public behavior:
“your feud with the cats should be coming to an end, at least on the public domain
what is the point of giving away so much information in front of everyone who wants to read xss?
its good for none of you and very valuable for FEDs and their cheap dogs, researchers”
They call the operation a “nice honeypot” that wasn’t even fully locked—backups and ESXi were still there. In other words: the impact was limited, the exposure on forums is reckless, and law enforcement benefits more from LockBit’s theatrics than LockBit does.
The attacker responds with a final boundary:
“If you’re not interested, leave the chat room and don’t come in.”
The victim takes that advice:
“I will take your advice to not come back, take care my friend.”
LockBit closes with a single word: “bye.”
Why This Negotiation Stands Out
This negotiation is less about discounts and more about identity and narrative control. LockBit insists “we know exactly who you are” and uses supposed financial intelligence to justify a $1M anchor. The victim counters with operational reality (backups, non-sensitive data, internal limits) and even challenges LockBit’s own brand wars in public spaces.
Instead of collapsing under pressure, the victim reframes the conversation: from “can we afford this?” to “does this even make sense for either of us?” In the end, they walk away; not with a decryptor, but with their leverage intact and backups still in hand.
This negotiation is a reminder :
- Criminal “intel” about your revenue is often approximate and inflated.
- Internal approvals slow you down—but can also stop panic payments and force sober review.
- Understanding the threat actor’s public behavior (leaks, brand issues) can give you unexpected psychological leverage.
- Working backups turn a “we are destroyed” moment into a choice, not a ransom obligation.
- Not every negotiation has to end in payment; if impact and data sensitivity are limited, calmly walking away can be a valid strategic choice.
- Staying calm and questioning their assumptions can break the fear script they rely on.
When an attacker says “we know exactly who you are,” the smartest move may not be to argue the number—it may be to question the story behind it.