When Walking Away is the Only Option: LockBit 3.0 Ransom Negotiation
Ransomware negotiations are a tense, high-stakes dance where every word—and every minute—can tip the balance between recovery and disaster. The following case offers a rare, detailed glimpse into a negotiation with the LockBit ransomware group, where the victim, a relatively novice negotiator, tries to navigate demands that spiral from hundreds of thousands to millions of dollars.
A critical but often overlooked aspect of these negotiations is that attackers are comfortable walking away if the price isn’t right. Ransomware groups aren’t desperate to close every deal—they have a steady stream of new victims and know that not every negotiation will end in payment. This gives them leverage; they can make aggressive demands and escalate their price, knowing they can simply move on to the next target if negotiations stall.
Victims sometimes assume that attackers will eventually settle for whatever can be paid, but this isn’t always true. If the attacker senses that the victim is unwilling or unable to meet their price, they may cut off communication or increase pressure, rather than compromise. This walk-away readiness shifts the power dynamic and raises the stakes for organizations under attack, making it clear that not every negotiation will have a resolution—and not every ransom will be paid.
The Conversation Begins: Uncertainty Meets High Stakes
The victim opens the chat uncertainly:
"How does this work? What are you asking for?"
From the outset, it’s clear the victim is inexperienced with ransomware negotiations. The attacker quickly responds with a steep demand:
"Price for your company is $15 million."
This astronomical figure sets the tone for a negotiation that will stretch over days, with offers and counteroffers spanning from $500,000 to $15 million.
Demanding Transparency and Proof
The victim requests detailed file listings to verify the attacker's claims of having stolen 1.5 terabytes of data:
"We would like... a detailed file listing... including full file paths and data size..."
The attacker provides partial proof files but refuses full transparency, citing sensitivity concerns. This fuels the victim’s skepticism about inflated statistics.
Timer Tensions: The Countdown Pressure
As the victim’s leadership reviews the information, they ask for more time and request that the attacker pause or extend the countdown timer on LockBit’s blog—an ominous public countdown threatening data leaks.
The attacker unwillingly adds 12 hours but warns:
"You need to hurry up if you want to prevent distribution of these proofs."
Later, when the victim notices the timer shortening instead of extending, they express concern:
"If you post the data, then we have no reason to give you an offer."
The attacker responds:
"I warn you to stop playing these games with us because our patience is almost done."
Price Negotiations: From Modest Offers to Million-Dollar Demands
The victim tries multiple offers in an attempt to find common ground:
- $500,000 initially
- Increasing to $750,000
- Then $1 million as a final stretch
However, the attacker flatly rejects these amounts with firm language:
"I don’t want to see amounts like 500k or 1-2-3 million dollars."
“You can pay 15 million, nobody will know what data we have.”
“Next week it will be 30 million.”
From the attacker’s side, these rejections serve several strategic purposes:
- Establishing Control: By dismissing low offers as “ridiculous” or “miserable pennies,” the attacker reinforces their dominance in the negotiation, signaling that only near-full payment is acceptable.
- Maximizing Financial Gain: Insisting on amounts far exceeding the victim’s capacity pressures them to stretch budgets or seek external funding, increasing the likelihood of a larger payout.
- Creating a Sense of Urgency: By threatening to double the ransom soon (from $15 million to $30 million), the attacker pressures the victim to act quickly, fearing further financial escalation.
- Psychological Pressure: Constant reminders of the victim’s financial situation paired with threats of data exposure aim to induce fear and helplessness, pushing the victim toward compliance.
- Signaling Inflexibility: The attacker’s rigid stance discourages lowball offers and attempts to negotiate partial payments, framing the ransom as non-negotiable.
Despite acknowledging knowledge of the victim’s financial struggles, LockBit insists:
“I can trust you and provide access to your data for everyone or press only.”
This threat underscores that failure to meet demands will result in severe reputational and operational damage, amplifying pressure on the victim.
Threats Increases: Clients, Media, and Public Exposure
With patience waning, the attacker warns:
“Next step is calling all your clients.”
“If you don't want to pay us, you'll lose more.”
“We will start working with media by sending them links with all your data.”
The victim stresses willingness to pay a “realistic” price and pleads for removed files and paused threats to maintain negotiation goodwill. The attacker dismisses these pleas and threatens public leaks with just days left on the countdown.
A New Voice: The “Boss” Enters the Chat
At one point, an attacker claiming to be “boss Lockbit” intervenes:
“My partner asked if he can make an additional discount and agree to your miserable pennies—I refused him.”
“Since October 1, it is strictly forbidden to make discounts over 50%.”
“The last possible price for you is $7.5 million.”
This message adds a new layer of intimidation and rigidity, reinforcing that discounts are capped and prices remain sky-high.
The victim questions whether this is truly a different person but sees it as a sign the attackers remain interested in closing a deal—just not on the victim’s terms.
The Breaking Point: No Agreement Reached
The victim continues to press leadership for approval on their highest offer but faces a hard deadline from the attacker:
“You still have 9 hours.”
“You had a lot of time which you wasted.”
In response, the victim explains approvals will take longer and requests patience. The attacker refuses.
Ultimately, no agreement is reached. The threat of data publication looms large as negotiations stall.
Insights from This Negotiation
1. Negotiators Face Steep Learning Curves
The victim’s initial uncertainty (“How does this work?”) underscores how many organizations are unprepared for ransomware negotiations at this scale. In some cases, however, this display of uncertainty may be intentional—used as a tactic to lead the attacker to underestimate the victim’s knowledge or negotiation skills.
2. Attackers Hold Psychological and Tactical Upper Hand
LockBit 3.0 sets harsh terms early and uses countdown timers and public threats to pressure victims emotionally and financially.
3. Transparency Is Limited and Strategic
Partial proofs are given to bait victims into paying but full disclosure is withheld to maintain leverage.
4. Financial Offers Far Below Demands Are Rejected
Lowball offers are dismissed as “miserable pennies,” regardless of victims’ financial realities.
5. Communication May Involve Multiple Personas
The entry of “boss Lockbit” demonstrates how attackers manage negotiations via different voices to reinforce authority and rigidity.
6. Deadlines Are Used as Pressure Tools
Countdown timers and fixed ultimatums create urgency that may force rushed decisions.
Full Chat Logs
FULL TRANSCRIPT:
Victim: [Chat started]
Attacker: Hello! We will keep the publication but without proofs of leak.
Attacker: If you'll be fast the blog isn't going to be an issue because it just a words in the internet
Attacker: File: [9.png]
Attacker: File: [8.png]
Attacker: File: [10.png]
Attacker: File: [11.png]
Attacker: File: [12.png]
Attacker: You need to hurry up if you want to prevent distribution of these proofs
Attacker: File: [21.png]
Attacker: File: [19.png]
Attacker: File: [20.png]
Attacker: File: [22.png]
Victim: How does this work? What are you asking for?
Attacker: You need to pay ransom to keep this incident and data we have confidality
Victim: What is the ransom price?
Attacker: Price for your company is 15m$.
Victim: We would like to ask you to provide a detailed file listing showing the files you took from our systems. We need the file listing to show a total data size so that we can compare that against the 1.5TB you referenced on your blog. We will also need you to show us what the three database backups were.
Attacker: File: [filetree.7z]
Attacker: File: [filetree2.7z]
Attacker: You can choose up to 5 random files from file tree and we'll send it like a proof.
Victim: Are you able to provide file listings that maintains the file path and shows the file size and total file count and data size of each list?
Attacker: File: [2.jpg]
Attacker: File: [1.jpg]
Attacker: File: [3.jpg]
Attacker: We cannot provide you more information because it exposes sensitive information
Attacker: Some files are compressed
Victim: We need transparency if we are going to come to an agreement. Our leadership needs to see a full listing, including the full file paths and data size if we are going to proceed. Because you have not provided a file listing with the details we have asked for, there is a great concern that you may be artificially inflating your statistics.
Attacker: Ok, wait
Attacker: File: [data2.7z]
Attacker: File: [data4.7z]
Attacker: File: [data5.7z]
Attacker: File: [data1.1.7z]
Attacker: File: [data1.2.7z]
Attacker: File: [data3.7z]
Victim: Thank you for providing the most recent file listings, our leadership will start review this information tomorrow. We will get back to you soon. In the meantime, will you please take the timer off your blog site. We won’t be able to come to an agreement by tomorrow afternoon.
Attacker: We will add 12 hours.
Attacker: Any updates?
Victim: Our leadership team is still reviewing the file listings, this is going to take us a couple of days. One question that keeps being asked is, do the file listings you provided include all of the data you took?
Attacker: You see the timer. Nobody going to wait for you to check every single file from the list. Stay slow and everybody will check the listing with you. Also we have prepared special high speed mirrors for press.
Victim: Yesterday the timer showed 4 extra days. Our leadership team planned on using that time to review the data so that we can prepare a counteroffer. We are still evaluating the data and need to work through this process. If you post the data, then we have no reason to give you an offer. Please return the timer as it was so we can continue our discussions to come to a resolution on this.
Attacker: You have 48 hours
Victim: We’ve had a chance to perform our review, we want to make sure we’re very transparent with you as we work together to resolve this.
Victim: Based on what we have seen in the list, we are going to have to notify a lot of our clients of this by law. This will cost us a lot of money to do regardless of whether we pay you or not, so we have to account for that. We’d still be willing to pay you so that the data gets deleted, but that price has to be realistic. $15M is not realistic for us.
Victim: Considering what we have available and what we need to spend regardless, we’re willing to pay $500,000 to resolve this with you.
Attacker: You can pay 15m and nobody will know about what data we have. I don't want to see amounts like 500k or 1-2-3-m$ because its ridiculous for your company size and you'll pay much more if i post your data.
Attacker: I had a conversation with my boss. Due to our rules we cannot review any unreasonable offers. My boss is provide you a discount so now you can pay $14.5m. Next week it will be 30m$. If you think that it's too much say it now. Consider your responsibility for the clients.
Victim: The size of our company doesn’t matter in this situation, and if you know our finances, then you know we haven’t made a profit in years. What matters is what we can pay and what is realistic for us. Based on what you have shown us and what we have to pay regardless because of our legal obligations, what is realistic for us is $750,000, maybe a little bit more based on what you have shown us. Perhaps you discuss with your boss again to explain the situation and extend the timer while we continue discussing the resolution of this with you.
Attacker: We do know about your financial situation and we know that you can pay. But I can trust you and provide access to your data for everyone or press only. So may I count on you and wait a little bit more or you going to put me bullshit offers everyday?
Victim: If you make our data public then we have not reason to keep negotiating or make a payment of any amount. The price you are asking is completely beyond our capability to pay and we ask that you re-consider our last offer or provide a number that's more reasonable. Either way, we need more time to figure this all out.
Attacker: I wont talk with my boss about all offers under 8m$. If you swear me to give me normal offer i can give you extra time.
Victim: We will go back to our leadership team and board to discuss what we can do. Please give us more time, it is going to take us some time to get the appropriate individuals engaged.
Attacker: Timer is paused until tomorrow. I warn you to stop playing this games with us because our patience is almost done.
Victim: We can bring our offer up to $1,000,000 but this will deplete what funds what we currently have available for a payment.
Attacker: Read one more time carefully my previous messages. I told you that i don't want to see offers like this. I'm starting to make first steps to destroy your company because you don't want to make a deal with me. You think I'm fool? I have your files and i know how much money you have.
Attacker: CEO of REDACTED knows about this shit offers? He understand how much funds he will loose in all departments around the world after work we'll done?
Victim: Our offer was approved by the leadership team and board, these are the individuals who determined that $1,000,000 is a reasonable and realistic valuation. Your attempt to reach out to or call our people will not influence our position. $1,000,000 is all that we are able to offer at this time and we would like to ask you to review this offer with your boss.
Attacker: We don't accept your offer. We've been waiting long time for a good offer from you and can't wait anymore. Now we will start working with media by sending them a links with all data of your clients, transactions, taxes, etc. We have collected a lot of data and we will send a it to the tax department, trade unions and more law offices later. We think they will be interested in your activities. We don't want to have a dialogue with you because you're losing our time. Wish you the best luck.
Victim: We have been working in good faith with you to bring this to a realistic resolution. If you move forward and publish or make public any more of our data than we will have no incentive to work with you. We have to believe that $1,000,000 is worth more to you than publishing our information. If you can provide us a more realistic price than we can discuss this in our next leadership meeting that is scheduled for Monday.
Victim: We see that you have re-posted some files. We previously indicated that disclosure of information impacts our incentive to pay.
Victim: We have demonstrated a willingness to pay a realistic amount but you continue to demand an amount that is higher than we can pay, make unnecessary threats and are taking these unnecessary posting actions that cannot change our position. We have told you that we need until Monday to discuss any increased payment. We ask you remove the files, stop your threats and accept a reasonable offer from us.
Attacker: I told you, next step is calling all you clients. I told that if you don't want to pay us you'll lose more. Stop your shit talk about you don't have funds and so on. I know who you are and what work you need to do and you know that if I'll publish all data from company you'll get nothing. So you need to talk with company management and come back with amount which we're asking.
Victim: We’ve been very transparent with you throughout this process. As we said, if you make any additional disclosures of our information, our willingness to pay any amount will be drastically reduced. Republishing our name and original data on the site and continuing to try to contact our leadership or media won’t change our position, and in fact will make us less willing to pay. We are willing to pay a realistic price and come to an agreement with you. $1,000,000 is that price. Let’s close this and both move on with a win.
Attacker: It could be win for you not for us. Seems you don't want to make a deal.
Attacker: http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion/secret/acc2cf6896c0c9c116ff8c52bda40d0b/REDACTED.com/
Attacker: You have 2 days until it will be published. All or nothing.
Attacker: File: [ALL.JPG]
Attacker: Here you go. The day after tomorrow, I will send another letter with all your data
Victim: Your continued pressure and threats make it very clear to us that you want to get paid and close this deal. The amount of money you are asking is nowhere near a realistic price to pay for the data you have shown us. We have said this time and time again. Your new threat to notify the media and your continued efforts to threaten our business, our leadership and our customers will not change our valuation of the data and will not influence our position. We have clearly demonstrated the price range we are able to work within. Stop playing your games, wasting our time and let’s close this business deal. give us a price within range of our offer and our leadership team will discuss making a deal.
Attacker: The price range is between 7,7 and 15 million dollars, I already told you that, did you forget?
Victim: We saw that you originally responded and asked 'What range?' It looks like you have now changed that response which is unfortunate. You should realize by now, the realistic range we are willing to consider is evident by our offer to date. Take this information back to your boss and let’s discuss a price that is more realistic.
Attacker: Hello, this is boss Lockbit, my partner asked if he can make an additional discount and agree to your miserable pennies, I refused him. The thing is that since October 1, according to the new rules it is strictly forbidden to make a discount of more than 50% of the originally announced redemption amount, so the partner has no right to make a discount on a single dollar even if he wants it very much and believed in your funny fairy tales about your poverty and the last possible price for you $7.500.000. I as the Boss will be very happy to see your information on my blog, your information will be kept there forever. The only way to prevent the leak is to accept my last possible price, otherwise you will not only suffer losses from the leak but will be repeatedly attacked again in the future and will not know in what original way your very profitable and successful company was hacked until now. All the best, you can continue negotiations with my partner.
Victim: I have no way of knowing if the individual who wrote this last message is truly a different person. Everything about this message tells us that you are still interested in making a deal and getting paid. Your original price is unweighted and not realistic. Your “internal rules” about the discount percentage you are able to provide do not apply to us or this situation. That is unfortunately an issue you are going to need to work through internally, come back to us with a resolution if you would like to make this deal. We reiterate, if you publish our data we are done. Your demand is totally out of our range and as a result we will not provide another counteroffer until you give us a more realistic price within our range.
Attacker: Work on the leak. Correspondence will be attached to the blog post.
Victim: We will need to meet with the leadership team tomorrow
Attacker: No. You still have 9 hours.
Victim: We will not be able to get approvals to raise our offer tonight. You are going to need to wait until tomorrow.
Attacker: No. You already had a lot of time which you wasted so hurry up.Conclusion
This LockBit negotiation reveals the brutal nature of ransomware extortion at its highest levels—a complex interplay of intimidation, negotiation tactics, financial realities, and psychological pressure. For victims facing similar situations, understanding these dynamics is crucial for preparing effective responses and mitigating damage.