|

Exposed: How ransom gang Lockbit negotiates payments

ByLockbit Decryptor

Source: https://ia.acs.org.au/article/2025/exposed–how-ransom-gang-lockbit-negotiates-payments.html

“Don’t go to the police or the FBI for help and don’t tell anyone that we attacked you.”

That’s how ransomware gang Lockbit greets its victims.

In ransom notes left on compromised systems, the Russia-linked group directs its targets to a “secret chat” link where it promises to restore their sensitive data – for a price.

“[The police] will forbid you from paying the ransom and will not help you in any way,” one note read.

“You will be left with encrypted files and your business will die.

“Write to the chat room and wait for an answer, we’ll guarantee a response from us.”

Those who follow the link are ushered into private chatrooms where Lockbit operatives negotiate ransoms, provide file decryption instructions, and collect thousands in illicit cryptocurrency payments.

You may also like: Lockbit 4.0 Ransomware Decryption and Recovery

While Lockbit promises anonymity to its payers, a recent dark web data leak exposed the gang’s infrastructure – including Bitcoin wallet addresses, member credentials, and a trove of ransom chat logs.

Information Age reviewed 12 of these leaked chats and found Lockbit not only secured payments of up to $87,500, but ran its extortion operations with a surprisingly systematic, helpdesk-like approach.



The page Lockbit directs its victims to for “secret chats”. Photo: Supplied

Business as usual

Lockbit operatives tend to guide conversations through what appears to be a predefined chat process.

They first provide proof they can restore the victim’s encrypted files, then present a ransom demand, negotiate the price, collect payment and finally send the victim a decryption tool.

While the order of these steps varies between chatrooms, agents generally stick to a consistent chat flow which, in five of the 12 cases, ends with a successful ransom payment.

Lockbit’s chats appear to be conducted by the gang’s affiliates – members who take a cut of any ransom they extract under the gang’s ‘ransomware-as-a-service’ model.

Notably, these affiliates frequently allude to internal roles within the operation, such as dedicated “tech support” to assist with decryption, as well as specific “rules” companies are expected to follow during negotiations.

People also read: Real Case Study: Full Recovery from Crypto24 Ransomware Attack

“We have rules. Full file tree is [not] disclosed information before payment,” one chat reads.

“We follow the rules strictly, you can read our affiliate program,” reads another.

At times, Lockbit’s tone is notably casual with members speaking as though they are simply clocking in at work.

“If you want to pay, please do it as soon as possible because I need to take a lunch break,” one hacker writes.

“Whether you pay or not, I don’t care. I love my job and have money,” said another.



The desktop of an affiliate was revealed. Photo: Supplied

In some cases where victims struggle to use the gang’s decryption tool after payment, Lockbit agents either offer direct guidance or escalate the issue to an internal team.

“There are too many materials that cannot be recovered, why are you doing this?” asks a victim who had paid approximately $6,000 in Bitcoin.

“One moment, I will talk to tech team, they will assist you,” the agent replies, before eventually providing technical instructions.

Jamieson O’Reilly, founder of Australian information security company Dvulnexplains Lockbit’s consistent procedures and support-like approach suggest the gang handles a high volume of ransom traffic.

“It’s interesting what you can infer from simple text on a screen,” says O’Reilly.

“I noticed some of the responses were void of any emotion, almost like they were unfazed. No attitude, just cold, transactional replies.

“In my experience running thousands of social engineering attacks against human targets, you don’t get that kind of detachment unless you’ve run that playbook hundreds of times.”

Test it for yourself

Before entertaining a ransom payment, Lockbit insists victims use its “free test decryption” service to prove it can restore encrypted files.

Victims can test their files can be restored using the decryptor on this page. Image: Supplied.

In 11 out of 12 leaked chats, victims use Lockbit’s test decryption by sending some of their encrypted files to the gang, which Lockbit sends back unencrypted as “proof” their decryptor works as promised.

In some cases, Lockbit agents actively push the test decryption ‘service’ even when victims don’t ask for it.

It is not necessary to test with a file. We trust you. We made a security mistake. Please tell us how we proceed so we can recover all the information,” one victim says.

“The total weight of the files we have is approximately 35 gigabytes. To prove that our decryption tool works properly we can decrypt few random files for FREE, just send them to us,” the agent replies.

Speaking with Information Age, Evan Vougdis, cyber director at Sydney-based cybersecurity firm NSB Cyber, explains Lockbit’s focus on proving its decryption tool works could be a tactic to build up trust.

“Whilst it may be unusual to think about ‘client experience’ with respect to a ransomware negotiation, this is something that ransomware negotiators consider when providing advice to their clients,” he says.

“Simply put: Can I put trust in this ransomware group – to the extent you can trust a cybercriminal organisation – to do right by me as the victim?”

Notably, some clients appear more trustful after testing Lockbit’s decryption.

“Well, we trust you. Payment will be made today,” one victim writes.

Time to negotiate

Pricing negotiations occur in eight out of the 12 chats analysed by Information Age, with Lockbit frequently conceding to “discounts” ranging from five to 70 per cent.

Much time is spent negotiating the amount to be paid. Image: Supplied

Victims spend the bulk of their time in this negotiation phase, with chats lasting anywhere between a few days to a few weeks.

In one four-day long chat, a victim secures a 37.5 per cent discount on an initial ransom demand of $140,000 (€80,000).

Lockbit’s agent initially resists, citing financial research they’d performed on the victim’s business.

“I saw your financial report, our price is not big for you,” the agent says.

The victim, however, pushes back, calling the demand “far beyond” their financial capability.

After days of back-and-forth negotiations, Lockbit ultimately accepts $87,500 (€50,000), paid in Bitcoin.

Not all negotiations ended successfully, however: in one instance, a Lockbit agent revokes a 10 per cent discount after their victim attempts to haggle further, and in another, the gang refuses to negotiate despite risking an employee’s livelihood.

“I am just an IT guy working in the company,” the employee writes.

“My family depends upon my job… my company will file a legal case and terminate me.”

Vougdis tells Information Age most ransomware groups ultimately “will offer discounts” given their “primary motivation, in most cases, is a financial one”.

“If a demand is $1,000,000 and the victim is firmly only willing to pay half the amount, it is unlikely they will turn it down,” he says.

Indeed, Lockbit refuses to negotiate in just two of the 12 leaked chats, while some agents even use time-sensitive discounts as a pressure tactic to drive reckless, same-day payments.

Vougdis, who has been involved in other ransom negotiations on behalf of clients at NSB Cyber, says his company has seen a rolling average of 48.75 per cent discounts from initial ransom demands.

Cashing in and cleaning up

Out of the 12 chats, five victims pay ransoms ranging from approximately $2,000 to $87,500, while some even thank their extortionists for the experience.

“I ran the [ransomware decryptor] again and finally processed the data. Thank you very much,” writes one victim.

Five others are unable to reach an agreeable price during negotiations, while two others disengage from the chat without attempting to negotiate whatsoever.

If a victim agrees to pay, the agent provides them Lockbit’s Bitcoin payment details and waits to confirm receipt of payment.

Lockbit instructs victims how to pay using Bitcoin. Image: Supplied

Agents then liaise with Lockbit’s “tech team” to acquire a decryptor and forward it to the victim.

As far as the chat logs suggest, four of the five victims who paid a ransom go on to successfully decrypt their files – while one chat moves to a third-party chat platform where Lockbit promises to send further “instructions”.

After payment, chat operatives typically offer helpdesk-like support to ensure the decryptor restores the victim’s files, though O’Reilly explains the hackers aren’t acting out of kindness.

“Friendly chats aren’t about goodwill in my opinion, more so they’re about reputation,” he says.

“LockBit, like other top-tier groups, knows they’re running a ‘marketplace trust’ model.

“If word gets out that they don’t deliver after payment, they lose credibility, and their entire extortion economy takes a hit.”

Lockbit hacked, but on the mend

Lockbit played a role in nearly one fifth of reported Australian ransomware incidents between 1 April 2022 and 31 March 2023.

Although the gang has suffered constant law enforcement pressure and sanctions against its members, it has remained a highly active threat in recent months.

Lockbit’s ransom operations came to a halt in early May, however, when an anonymous hacker leaked one of the gang’s databases to the dark web.

In addition to exposing the gang’s infrastructure, the hacker replaced Lockbit’s website with the message “Don’t do crime, CRIME IS BAD, xoxo from Prague”.

The message left by LockBit’s hackers. Image: Supplied

At the time of writing, portions of Lockbit’s blog have been offline for nearly three weeks, and no new data leak victims have been published since 7 May.

Disgruntled Lockbit admins have meanwhile placed a bounty on the hacker responsible.

“Give me info for whohe is, I’ll pay money if the info is real,” a Lockbit member reportedly wrote on Telegram.

Even though Lockbit claims to decrypt the files of its paying victims, the Australian Cyber Security Centre (ACSC) maintains victims should “never pay a ransom”.

“There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online,” ACSC advises.

Furthermore, the UK’s National Crime Agency (NCA) found in 2024 Lockbit held onto the data of some victims even after the gang received payments to delete it.

From 30 May, new ransomware reporting obligations introduced under Australia’s first Cyber Security Act will require businesses with an annual turnover exceeding $3 million to disclose payments they make to ransomware criminals – an initiative O’Reilly says will give the government “a clearer picture of just how bad things are”.

“Right now, most victims just want it over and done with quietly,” he says.

“That’s not changing unless we shift the whole incentive structure

Similar Posts

FMLN Ransomware
|

How to Remove FMLN Ransomware and Restore Encrypted Data?

ByLockbit Decryptor

Introduction FMLN ransomware has quickly become a major cybersecurity nightmare, infiltrating systems, locking down important files, and forcing victims to pay steep ransoms. With ransomware attacks getting more advanced by the day, recovering encrypted data is now tougher than ever—whether you’re an individual or a business. In this guide, we’ll break down what FMLN ransomware…

Decrypting LockBit 3.0 Ransomware Using Personal ID: A Comprehensive Guide with LockBit Decryptor

ByLockbit Decryptor

LockBit 3.0 ransomware presents a severe threat by encrypting crucial files and demanding ransoms. Fortunately, the LockBit Decryptor tool offers hope for victims, enabling decryption without succumbing to ransom demands. In this detailed guide, we’ll explore how to decrypt LockBit 3.0 ransomware using your personal ID with the assistance of the LockBit Decryptor. Understanding LockBit…

Innok
|

How to Decrypt Innok Ransomware Files Safely and Effectively?

ByLockbit Decryptor

Understanding the Innok Ransomware Threat Innok ransomware has emerged as a formidable cybersecurity menace, it looks very similar to the Panther Ransomware, hijacking systems, locking critical data, and coercing victims into paying a ransom to regain access. As these types of attacks grow increasingly complex and pervasive, the process of recovering encrypted data has become…

Argonauts Ransomware
|

Unlocking Data Encrypted by Argonauts Ransomware

ByLockbit Decryptor

The ever-evolving landscape of cybersecurity threats has given rise to Argonauts ransomware, a formidable foe that infiltrates systems, encrypts vital files, and demands ransom in exchange for decryption keys. As the frequency and sophistication of these attacks escalate, individuals and organizations are left grappling with the daunting task of data recovery. Our tool Argonauts Decryptor…

Gdlockersec
|

How to Decrypt Gdlockersec Ransomware and Recover Your Data?

ByLockbit Decryptor

Understanding the Threat of Gdlockersec Ransomware Recently, a new ransomware came up known as the Gdlockersec ransomware, targeting systems, encrypting critical data, and demanding ransoms to restore access. Its sophisticated methods of attack have made it increasingly difficult for organizations and individuals to recover their data. This comprehensive guide explores the nature of Gdlockersec ransomware,…

ARROW Ransomware
|

How to Remove ARROW Ransomware and Recover Your Data?

ByLockbit Decryptor

Overview: The Threat of ARROW Ransomware ARROW ransomware has emerged as a formidable menace in the world of cybersecurity, known for infiltrating systems, encrypting essential files, and demanding payment for their release. As cybercriminals continue to evolve their methods, recovering from such attacks becomes increasingly complex. This comprehensive resource dives into the nature of ARROW…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.