Blog

LockBit3 Chat Log Leak: A Deep Dive into Ransomware Negotiation Tactics

lockbit3

Critical Path Security – Threat Intelligence Report

Date: May 2025
Prepared by: Critical Path Security Research Team

Executive Summary

In a rare and highly consequential breach of operational secrecy, internal chat logs from the LockBit3 ransomware group have been leaked to the public. This unique intelligence provides cybersecurity professionals and defenders with an unparalleled opportunity to examine the internal communications of one of the most prolific ransomware syndicates in recent history.

The Critical Path Security research team analysed more than 4,400 messages exchanged between LockBit affiliates and their victims. This report outlines significant trends in threat actor behaviour, negotiation tactics, and operational cadence, based on detailed analysis of the chat data.

Key Findings

Volume of Communications

A total of 4,423 messages were reviewed, capturing the full breadth of negotiation stages—from initial victim outreach to ransom payment instructions.

Average Ransom Demand

Across the dataset, ransom demands averaged approximately $32,223 CAD, with most communications insisting on Bitcoin as the exclusive method of payment.

Threat Actor and Victim Statistics

  • 208 distinct clients (victims) engaged in chat-based negotiations

  • 35 unique threat actors, with five accounting for the majority of message volume

File Transfers

188 messages involved file attachments, often used to:

  • Demonstrate access to exfiltrated data

  • Provide decryption samples

  • Clarify technical instructions

Operational Timeframes

Chat activity peaked between 11:00 a.m. and 2:00 p.m. UTC, suggesting structured shifts or synchronisation with the victim’s business hours.

Behavioural Analysis

Communication Tone and Method

LockBit3 actors conducted negotiations with a businesslike tone, often beginning with:

  • Offers for test decryption

  • Demands for Bitcoin-based payment

  • Strict file format requirements for proof-of-concept decryption

These interactions were transactional and typically avoided unnecessary intimidation or theatrics.

Dominant Threat Actor IDs

  • Actor ID 25: Engaged in 1,073 messages, leading numerous negotiations

  • Other active IDs included 65, 43, 70, and 12—each involved in over 130 messages

The disproportionate volume from a handful of actors suggests either increased skill, higher trust within the syndicate, or broader responsibilities.

Recurring Language Patterns

Phrases such as:

  • “Send correct file”

  • “We accept Bitcoin only”

  • “Upload test files”

...were repeated across multiple conversations, indicating common scripts or standard operating procedures that can inform automated detection systems.

Security Implications

The LockBit3 chat logs offer powerful insight into attacker decision-making, giving defenders and incident responders the opportunity to revise playbooks and enhance threat anticipation. These logs also support:

  1. Behavioural Profiling and Simulation
    Organizations can develop simulations and tabletop exercises that mimic real-world ransomware engagements using authentic communication tactics.

  2. Enhanced Detection Logic
    Recurrent phrases, time-based behaviours, and file exchange patterns can be used to augment behavioural analytics in SIEMs and EDR platforms.

  3. Law Enforcement Support
    Actor IDs, timestamp patterns, and IP metadata embedded in these logs serve as potential leads for attribution and broader takedown efforts.

Conclusion

Technical resilience is necessary, but intelligence-led defence is the future. The LockBit3 leak provides a critical boost to that future, offering defenders the insight required to dismantle the mystique surrounding ransomware operations.

At Critical Path Security, we believe that understanding your adversary is just as important as securing your perimeter. We continue to ingest, analyse, and operationalize threat intelligence across the dark web and criminal infrastructures to help our clients remain ahead of sophisticated threats.

About Critical Path Security

Critical Path Security is a leading cybersecurity provider specializing in threat intelligence, incident response, and continuous protection of critical infrastructure and high-risk industries. With clients across North America and globally, we equip security teams with cutting-edge capabilities and real-time threat intelligence to combat evolving cyber risks.

📧 info@criticalpathsecurity.com
🌐 www.criticalpathsecurity.com