Negotiating with Ransomware Gangs

Last updated on June 7th, 2023 at 03:56 am

A decorative AI generated image of a man in a business suit looking warily at a hacker in a hoodie who is extending his hand as if he wants to make a deal.
Image generated using Midjourney. Prompt: A business man in a suit negotiating with a hacker wearing a hoodie, bright colors, glitch effect

Valéry Marchive, a cybersecurity journalist, has published chat logs of negotiations between ransomware gangs and their victims. The goal, he explained in a Twitter thread, is to provide a resource for ransomware victims and researchers, since “What happens during #ransomware negotiations is rarely widely shared.”

Background to the chats

The chats take place after companies discover all their important files are encrypted and inaccessible. A ransom note is left on infected machines, instructing victims to contact the gang and buy a decryptor to regain access to their files.

The ransom note often warns that the gang will publish the company’s data on the dark web if they don’t buy a decryptor. You can see ransom notes left by a wide variety of gangs over at Zscaler Threat Lab’s GitHub repository.

After following the instructions to contact the ransomware gang, victims must then negotiate a price for the decryptor and the deletion of their stolen data.

Reaching an agreement 

The ransomware negotiations are often more civil than you might expect. For example, the chat between Mountlocker and one of its victims went relatively smoothly. 

The ransomware group did view its victim’s first offer of a $1 million ransom “as an insult” compared to their initial demand of $9 million. However, after some back and forth, the victim made an offer of $4,110,500, which the cybercriminals accepted. 

Of course, negotiations do not always go smoothly. One of LockBit 3.0’s victims was attempting to get approval for a higher ransom payment from the company’s board when the gang posted the company on its leak site. 

Two mud covered hands strike each other.
Photo ID: 43735653 © Rangizzz/

The victim was not happy with this development, writing, “Remove the f****** post and I will try to save this on Monday but I am literally not promising anything.” 

While LockBit 3.0 previously looked like it was considering settling near the 3 million mark, it then retaliated by upping the price to 5 million: “ufter [sic] using “f******” your price is 5 million and it’s your last price.”

Sometimes, impostors crash the negotiation chats, adding chaos to the proceedings. In one such negotiation with Darkside, the “victim” suddenly started uploading files. When the gang asked, “What is this?” they replied, “It’s you sucking d***.” The impostor then continued their rude shenanigans by posting a penis emoji. 

The real victim was understandably annoyed, writing, “whoever else is typing and sending this nonsense please stop. Our system is corrupted and we are paying to this person and need help so please don’t disturb us.” 

Upon hearing this, the impostor had some advice: “don’t pay them money.” The victim did not heed the advice, however, noting, “we have to pay our system is corrupted and need to restart our work.”

While in this case, the victim wanted to pay the ransom to regain access to their files, in other cases victims pay to avoid the fallout of a data breach. 

An image of open documents with "the following text in a dialogue box: "Data breach. Something went wrong. Please try again."
Photo ID: 107782668 © Rawpixel/

For example, a representative for one of Babuk’s victims asked the ransomware gang to remove the post about the company from the leak site during negotiations. They explained that doing so would “prevent the company from having to move on with legal procedures, which they are legally compelled to follow if they have notice of a data breach.” The representative added, even more explicitly, “if you delete that post, there will no longer be any evidence, and they will be able to avoid this.” 

However, covering up a data breach is never a good plan. Joe Sullivan, former Chief Security Officer at Uber, paid two hackers hush money after they accessed customer and driver data and failed to report their attack to the Federal Trade Commission. He was later convicted of two charges relating to his handling of the incident.

Problems paying the ransom

A person holding a phone with the Bitcoin logo on it and a credit card.
Photo ID: 187454742 © Joykid/

The chats also reveal that arranging payment after agreeing on a ransom can be challenging.

One Hive victim’s bank was suspicious of a $275,000 transfer made to cryptocurrency exchange Coinbase as part of the ransom payment. The victim reported to Hive that their bank was “asking a lot of questions because they say these types of transfers are related to fraud.” However, they assured the cybercriminals, “I’m telling them that I’m investing in bitcoin, so it should be okay.”

The same Darkside victim who dealt with a crass impostor in the negotiation chat later experienced difficulties paying the ransom. They reported receiving a “‘Transaction Server Response’ Failed” error message when trying to transfer Bitcoin to the cybercriminal’s crypto wallet.

The Babuk victim who wanted to pay the ransom to cover up their data breach also suffered from crypto-related difficulties. They used Revolut to purchase $85,000 worth of Bitcoin but reported they could “not move it to an external wallet ( out the revolut platform ).” In other words, they couldn’t send the Bitcoin they bought on the platform to the ransomware gang at all.

The takeaway

The ransomware chats make for interesting reading. They provide insight into how both companies and cybercriminals react to a tense situation and highlight problems they run into.

Companies who fall victim to ransomware should not, however, rush to pay the ransom. Ransomware gangs are criminal organizations, so there’s no guarantee companies will regain access to their files or that the gangs will delete the stolen data if they pay the ransom. Plus, if an organization gets a reputation for paying, it will make itself a target for future attacks.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *