{
	"id": "f472e8d5-b2e3-4f2e-a2cf-cb24bb4ca586",
	"created_at": "2026-04-06T00:21:06.977246Z",
	"updated_at": "2026-04-10T03:21:23.660522Z",
	"deleted_at": null,
	"sha1_hash": "a42b4c090f2f3f5a6a5bc9e7f387d0f0bed0b3e9",
	"title": "Negotiating with LockBit: Uncovering the Evolution of Operations and Newly Established Rules",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4171352,
	"plain_text": "Negotiating with LockBit: Uncovering the Evolution of Operations\r\nand Newly Established Rules\r\nBy Anastasia Sentsova\r\nPublished: 2023-11-16 · Archived: 2026-04-05 20:22:35 UTC\r\nContributor: Jon DiMaggio.\r\nIntroduction\r\nWhat defines success for ransomware actors during an attack? Breaching a victim’s network, exfiltrating valuable\r\ndata, and encrypting systems are crucial components. However, the ultimate measurement of success is the actor’s\r\nability to extort a ransom payment, which determines if they achieve their financial goals. Navigating the ransom\r\nnegotiation phase, whether conducted by the victims themselves or designated recovery firms, demands a high\r\nlevel of expertise and a deep understanding of the attackers involved. This includes studying of the threat actor’s\r\nprofile, tactics, and evolving strategies. In this complex landscape, there is no one-size-fits-all playbook for\r\nsuccessfully managing the negotiation phase, as each ransomware group exhibits distinct behaviors and adopts\r\nnew tactics shaped by many factors.\r\nOn October 1, 2023, one of the most sophisticated ransomware syndicates, LockBit 3.0, announced new rules of\r\nnegotiations among the members of the group. These rules were aimed at securing larger ransom amounts and\r\nincreasing the likelihood of payout. This blog uncovers the brief history of LockBit’s rebranding, the evolution of\r\nnegotiations tools and techniques, and the newly established rules. We examined multiple sources, including\r\nnegotiation chat logs and intelligence obtained from open sources and the DarkWeb. Furthermore, our research\r\nincludes an interview with a LockBit representative who shares their perspective on why the change in tactics was\r\nneeded.\r\nRebrand, Repeat: The Brief History of LockBit Transformation\r\nIn September 2019, ransomware group ABCD appeared on the cybercrime scene. The name of the group was\r\ngiven by researchers after the file extension “.abcd virus” was identified to be used when encrypting files. After\r\nfour months of operations in January 2020, the group rebranded itself to LockBit, now recognized as one of the\r\nmost notorious ransomware syndicates in existence.\r\nLater in September 2020, the group introduced a data leak site where actors would publish the data stolen from\r\ntheir victims. This adoption of the double extortion technique later became very common among ransomware\r\ngroups and is being used to add pressure on victims during negotiations to this day.\r\nIn June 2021, LockBit embarked on another rebranding endeavor into LockBit 2.0, and the group’s growth\r\ntrajectory gained momentum. According to the group’s announcement, their latest ransomware was promoted to\r\nbe “the fastest encryption software all over the world,” accompanied by “the fastest stealer StealBit,” allowing its\r\naffiliates to download stolen data to its data leak site.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 1 of 15\n\nFigure 1: LockBit announces new version LockBit 2.0 on its data leak site Source: Analyst1\r\nIn June 2022, LockBit underwent yet another rebranding, evolving into LockBit 3.0. Simultaneously, the group\r\nintroduced the first bug bounty program offering rewards ranging from $1,000 to $1 million USD. Undoubtedly,\r\nthis move was aimed at gaining more publicity and, as a result, recognition from the underground community.\r\nWide presence on the DarkWeb indeed is a distinguishing feature of the LockBit group. To this day, the group’s\r\nleadership communicates under the alias LockBitSupp, which actively engages on top-tier DarkWeb forums,\r\ninteracting with both threat actors and members of the cybersecurity community.\r\nThe groups’ operational tools and tactics went through a series of changes when compared with the original setup.\r\nUntil approximately September 2020, LockBit required victims to contact them through email provided in the\r\nransom note. Some groups continue to rely on email or secure messaging via Tox for communication.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 2 of 15\n\nFigure 2: LockBit’s ransom note in the early days of its operation requiring victims to communicate\r\nthrough email\r\nSource: Analyst1\r\nLockBit transitioned to chat-based negotiations developed on its data leak site to enhance its infrastructure for\r\nmore sophisticated operations. Access details are conveyed to the victim through the ransom note, which is\r\ndelivered after encryption takes place. The following screenshot is a modern-day negotiations chat portal used by\r\nthe actors. The chat negotiation infrastructure provides features such as a “Trial Decrypt,” allowing the victim to\r\ntest the legitimacy of a decryptor for a file of their choice.\r\nFigure 3: LockBit’s modern-day negotiations chat portal\r\nSource: Analyst1\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 3 of 15\n\nLockBit has forged a reputation for its consistent commitment to improving its technical capabilities and\r\nreinforcing its standing in the Ransomware-as-a-Service (RaaS) domain. Despite the rebrand, LockBit’s primary\r\nobjective remained consistent, to enhance its technical capabilities, all aimed to attract its core clientele, the\r\naffiliates.\r\nOperators \u0026 Affiliates: The Intricacy of Relationships or Who Holds the Power of\r\nNegotiations?\r\nThe individuals responsible for breaching a victim’s network are known as affiliates and they partner with\r\nransomware developers (operators) in exchange for a share of the profit. These affiliates play a pivotal role in a\r\ntraditional RaaS model and are essentially the ones who are making this ransomware machine move. To\r\nunderstand LockBit’s operations and negotiation tactics, it is essential to uncover the affiliates’ ecosystem and\r\nrelationship with key group members, the operators. Let’s take a closer look.\r\nDuring the initial months of LockBit’s existence, the group likely operated independently, with little or no\r\ninvolvement of affiliates. It is unclear how many affiliates were in the program rotation at the early stage of\r\nLockBit’s program, but as of today, the group representative claims that it is partnering with hundreds of affiliates\r\nall around the world. “I have hundreds of affiliates working with me now, and all of them are bandits,” said a\r\nLockBit spokesperson in a conversation with Analyst1 earlier this month.\r\nWithin LockBit’s sacred affiliate program, key members maintain distinct relationships with its affiliates, aimed to\r\nprovide them with the best benefits. The terms and conditions are indeed generous especially when it comes to\r\nnegotiations that, by design, are handled by the affiliates themselves. Prior to LockBit, most RaaS operations\r\nhandled ransom payments directly, paying affiliates their share after the victim paid. This left the affiliate\r\nvulnerable, as they were not in control of the finances. LockBit follows a different approach, putting the affiliates\r\nin control of the money to eliminate the fear they would not get paid in full. “Rules were always the same,” said\r\nLockBit to Analyst1, indicating that affiliates have always been the ones holding the power of negotiations since\r\nthe beginning of its operation.\r\nTo keep their ransomware machine running and to attract as many affiliates as possible, LockBit utilizes all\r\navailable methods and promotes itself across multiple DarkWeb forums. One of them was RAMP, a forum that\r\nwas launched in 2021, after the official ban of the ransomware topic on top-tier DarkWeb forums such as XSS and\r\nfully dedicated to the ransomware subject. “80/20 share profit with the payment made to your cryptocurrency\r\naddress! Scam excluded! Auto leak to the onion blog through StealBit,” says LockBit in a promotional\r\nmessage for its LockBit 2.0 rebrand on August 19, 2021.\r\nFigure 4: LockBit promotes its affiliate program on RAMP forum on August 19, 2021\r\nSource: Analyst1\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 4 of 15\n\n“Great product! Probably the best on the market! The only thing that the owner is pretty lazy and releasing\r\ntoo slow. But everything is secure plus you are negotiating and receiving ransom yourself. Feels like you are\r\nusing your own product.” “Orange”, administrator of the forum RAMP.\r\nOrange will be later identified as Mikhail Matveev, a prominent member of the Russian-speaking underground\r\ncommunity, also known for operating under aliases “wazawaka” and “boriselcin”. In May 2023, Mikhail Matveev\r\nwas sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for his\r\nsuspected involvement in multiple ransomware attacks conducted by Hive, LockBit, and Babuk ransomware\r\nsyndicates. \r\n“Thank you for your honest feedback. It takes long because we are taking care of the quality of our product\r\nand reputation. We can’t release ESXi locker developed way too fast from openly available source code. We are\r\nbuilding everything from scratch and paying attention to every detail. We are harness horses slowly but ride\r\nfast.” LockBit replies.\r\nFigure 5: Administrators and moderators of the RAMP forum discuss the quality of its product with\r\na LockBit representative and speak highly of its features and great quality on August 19, 2021\r\nSource: Analyst1\r\nAlthough LockBit’s goal is to attract as many affiliates as possible, actors seem to stay on guard to preserve the\r\nintegrity of their infrastructure by maintaining a selective approach when accepting new affiliates into the\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 5 of 15\n\nprogram. Not all are granted access to the inner workings and join the affiliate program, especially those whom\r\nLockBit suspects to be researchers, media, or law enforcement.\r\nIn September 2021, a notable incident came to public attention in an underground community. An individual\r\noperating under the alias “nitr0x” filed a claim on top-tier DarkWeb forum XSS, accusing LockBit of scamming\r\nthem. According to the message, nitr0x, who claimed to be engaging in breaching entities, expressed interest in\r\njoining the LockBit affiliate program. As proof of the legitimacy of nitr0x’s intention, LockBit requested a\r\nsecurity deposit in the amount of $10,000 USD, plus evidence of a network breach and access to victims’ systems\r\nthey had at that moment. Based on the claim, the entrance to the group was denied, as a security deposit was never\r\npaid back.\r\nIn response to this claim, LockBit asserted that the individual is likely either undercover law enforcement or\r\nresearchers attempting to gain access to the admin panel. LockBit’s suspicions stemmed from several red flags\r\nassociated with nitr0x. For example, LockBit stated that nitr0x had limited proficiency in the Russian language\r\nand had a low reputation on the forum.\r\nA conversation between two actors, analyzed by Analyst1, clearly revealed LockBit’s suspicions that the actor\r\nmight be attempting to deceive them. LockBit intentionally mirrored grammatical mistakes made by nitr0x, as\r\nthey would later explain in a forthcoming post. Indeed, proficiency in Russian is a widely recognized rule within\r\nthe Russian-speaking ransomware community and one of the main criteria for acceptance.\r\nFigure 6: An individual operating under the alias nitr0x filed a claim against LockBit on the XSS\r\nforum\r\nSource: Analyst1\r\nCracking Human Vulnerabilities: An Inside Look into Negotiations\r\nTransitioning from the exploitation of technical vulnerabilities within victims’ networks during the initial stages of\r\na ransomware attack, affiliates eventually move on to the negotiation phase, attempting to crack a different kind of\r\nvulnerability: the human one. The negotiation phase is a pivotal part of ransomware attacks. It determines whether\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 6 of 15\n\nthe actor’s ultimate goal of obtaining a ransom payment will be achieved. The question then becomes how ransom\r\ndemands are determined and who decides how much money to ask for.\r\nTo uncover insights we analyzed multiple negotiation chats between victims and actors published by Valéry\r\nMarchive, and this is what we learned. Several key factors shape the initial ransom amount demanded by actors.\r\nFirst, the actors always do their homework by investigating the victim’s revenue, leveraging sources such as\r\nZoomInfo of D\u0026B. “We know exactly how much money you make,” says a LockBit actor during negotiations with\r\none of the victims in a screenshot below. Furthermore, the presence of cyber insurance and the actor’s ability to\r\nfind it in the victim’s systems plays a significant role when deciding on the ransom amount. The number would\r\nlikely align with the amount for which the victim is insured.\r\nFigure 7: LockBit actors stating that they are aware of the company’s financial standing\r\njustifying the high ransom amount asked\r\nSource: www.ransomch.at\r\nIn addition to revenue and insurance, the sensitivity of the data stolen during the attack might increase an amount.\r\nUnderstanding the penalties that the victim might face in the event of a data leak, the actors use it and apply\r\npressure on the victim through a double extortion technique, threatening to leak the victim’s data in case\r\nnegotiations fail.\r\nFigure 8: LockBit actor threatening to publish stolen victim’s data that might lead to penalties\r\nSource: www.ransomch.at\r\nAdjustments to the ransom amount are possible as negotiations progress. The extent of the damage, for example,\r\nmight dictate whether actors would be willing to lower the price. For instance, in one negotiation, an actor says to\r\nthe victim: “Given that your network was not completely infected, we can drop the price to 1 million USD”. This\r\ntranslates to a discount from $3 million USD down to $1 million USD, which represents a substantial reduction of\r\n65%, mainly to a limited number of infected endpoints as per the actors.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 7 of 15\n\nFigure 9: LockBit actors agrees to bring the ransom amount down due to the limited damage they\r\ninflicted on the victim\r\nSource: www.ransomch.at\r\nWhen delving into the intricacies of LockBit negotiations further, one clear theme emerges – inconsistency. This\r\ninconsistency is most evident when it comes to determining the amount of the initial ransom demand and any\r\ndiscount actors are willing to give. These amounts vary from one case to another with no clear percentage pattern\r\nobserved. For instance, in one case where a company’s revenue was nearly $700 million USD, the ransom amount\r\nwas set at $5 million USD, with an additional discount of 25% offered. In another case, at the same time, with the\r\ncompany’s revenue standing at nearly $38 million USD, the initial ransom was set at $1.5 million USD, with\r\nactors willing to offer a 30% additional discount.\r\nConsidering that negotiations are being held by affiliates involving multiple individuals (hundreds, as claimed by\r\na LockBit representative), this irregularity is unsurprising. The presence of a high number of affiliates in the group\r\noffers certain advantages to LockBit business; however, it significantly influences the negotiation dynamics.\r\nOrganizing such a vast decentralized group, where each affiliate is free to set their own rules, can make a\r\nconsensus challenging.\r\nThese inconsistencies didn’t escape the attention of LockBit operators, prompting a demand for substantial\r\nchanges.\r\nOctober 2023. LockBit Establishes New Negotiation Rules\r\nManaging a large company demands significant effort, but when it comes to overseeing a group of cybercriminals,\r\nthe scale of effort required is exponentially greater. It became evident for LockBit operators that changes in\r\nnegotiation tactics were imperative to navigate this complex phase effectively and establish a more streamlined\r\nand coordinated strategy.\r\nIn September 2023, LockBit initiated a survey among its group members emphasizing the pressing necessity of\r\nchanges. According to their own words, the current approach without any established rules negatively affects\r\nLockBit operations and significantly decreases the likelihood of ransom payouts or considerably lowers its\r\namount.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 8 of 15\n\nFigure 10: LockBit raising concerns regarding current ransom amounts and discount approach and\r\nproposes changes (full translation available in Appendix section)\r\nSource: Analyst1\r\nAs per the message, the inconsistency among affiliates in determining ransom amounts is due to the different\r\nlevels of experience of affiliates, as well as their willingness to offer discounts. It created misleading impressions\r\nfor recovery companies who are tracking negotiations and forming their statistics. As a result, in many cases,\r\nnegotiators expect lower ransom amounts and larger discounts that most experienced affiliates are not willing to\r\nprovide which leads negotiations to fail and communications to end prematurely.\r\n“The experience of affiliate and rank of attacked companies can be quite different from case to case.\r\nOne affiliate might ask ransom of 10% of the company’s yearly turnover, for example, $2 million USD\r\npaid in ransom while revenue is $10 million USD. Another affiliate who is less experienced and\r\ndesperately needs money might accept 0.00005% of yearly revenue. We have cases when companies\r\npaid $100 thousand USD in ransom while their revenue is $2 billion USD.\r\nRecovery companies then put their statistics together and try to repeat their accidental success to\r\nnegotiate lower amounts. It is just luck for them due to the lack of discipline and agreement on the\r\namount of payout inside our affiliate program. In my opinion, it affects future negotiations for all the\r\naffiliates, well-experienced ones who have already made a lot of money and those who received a small\r\npayout and are now waiting for a larger one.”\r\nIn response, LockBit operators presented multiple options with different configurations of ransom amounts and\r\npossible discounts for affiliates to vote and choose from. LockBit provided the following choices:\r\n“1. Leave everything as it is. Affiliates establish their own rules with no restrictions, as it always has\r\nbeen.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 9 of 15\n\n2. Establish a minimum ransom request depending on the company’s yearly revenue, for example at 3%,\r\nand prohibit discounts of more than 50%. Thus, if the company’s revenue is $100 million USD, the\r\ninitial ransom request should start from $3 million USD with the final payout must be no less than $1.5\r\nmillion USD.\r\n3. Do not apply any restrictions on the minimum amount required as it depends on the damage inflicted\r\non the victim. However, the maximum discount shouldn’t be more than 50%. For example, if the initial\r\nransom is set to be $1 million USD, affiliates can’t accept any payments less than $500 thousand USD.\r\n4. Prohibit any payments less than the amount the victim is insured by if you could find cyber insurance.\r\n5. Prohibit any payments less than 50% of the amount the victim is insured by if you could find cyber\r\ninsurance.\r\n6. Other proposals you have in mind.”\r\nAnalyst1 reached out to LockBit for a comment on the current development. As per LockBit’s response, upon a\r\ncollective decision, the group established new rules requiring all affiliates to follow them starting October 1, 2023.\r\nThis change was necessary due to the inconsistencies in negotiations caused by different levels of experience\r\namong affiliates, LockBit stated. They added that affiliates are not permitted to violate the terms of the new rules\r\nin any case.\r\nFigure 11: LockBit response to Analyst1 regarding newly established rules\r\n(full translation available in Appendix section)\r\nSource: Analyst1\r\nBased on the LockBit response, these are the new negotiation rules:\r\n1. Ransom Payment Amount. The final decision on a ransom payment amount is still at the affiliate’s discretion\r\ndepending on their assessment of the damage inflicted on the victim. However, it is recommended to stick to the\r\nfollowing percentage:\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 10 of 15\n\ncompanies with revenue up to $100 million pay from 3% to 10%\r\ncompanies with revenue up to $1 billion pay from 0.5% to 5%\r\ncompanies with revenue of more than $1 billion pay from 0.1% to 3%\r\n“The ransom amount Is still set at your discretion In whatever amount seems fair to you. However,\r\nbased on the study of many successful and profitable deals, when the pentester’s work is done perfectly,\r\na lot of valuable data is downloaded and all backups are destroyed, it is recommended to stick to the\r\nfollowing figures: [above]”\r\n2. Discounts. Discounts greater than 50% of the initial ransom demand are now forbidden. When setting an initial\r\nransom amount, it is suggested to perform an assessment of the probability of payout to determine the amount the\r\nvictim might be willing to pay.\r\n“It is strictly forbidden to discount more than 50% of the originally requested amount in\r\ncorrespondence with the attacked company during the negotiation process. For those who have a steely\r\ncharacter, know how to determine the ransom amount that a company will pay with a high probability\r\nand almost never make large discounts please keep this rule in mind and adjust the ransom amount with\r\nthe size of the maximum allowable discount.“\r\nAfter establishing internal rules on October 1, 2023, LockBit made a public statement addressing an incident that\r\ntook place during their negotiation with one of the victims. According to LockBit, CDW, a US IT service provider\r\nthat was claimed to be breached by actors refused to pay what actors believed to be “adequate money.”\r\n“We published them because, in the negotiation process, a $20 billion company refuses to pay adequate money,”\r\nLockBit said to The Register. “As soon as the timer runs out you will be able to see all the information, the\r\nnegotiations are over and are no longer in progress. We have refused the ridiculous amount offered.”, the actors\r\nadded.\r\nAccording to a threat actor post on the LockBit data leak site CDW “was able to offer $1,100,000 dollars of the\r\nrequested $80,000,000 dollars.” Based on calculations of the company’s revenue and the initial ransom demanded\r\nby actors, the amount was determined to be 0.0004%. This percentage falls slightly below the established\r\nminimum of 0.5% for companies with revenues exceeding $1 billion USD. It seems the actors took offense at the\r\noffer made by their victim, who offered much less than what the actors had in mind. Apparently, LockBit expects\r\nits victims to follow their new rules, too.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 11 of 15\n\nFigure 12: LockBit posted CDW on their leak site threatening to publish stolen data. Source:\r\nAnalyst1\r\nConcluding the New Developments\r\nThe ongoing battle between ransomware groups and their potential victims underscores the need to monitor new\r\ndevelopments in this ever-evolving landscape closely. Negotiation is a pivotal, significant event for both victims\r\nand actors among the many phases of ransomware attacks. The difference, however, manifests in the outcome.\r\nWhen negotiations fail, the attackers experience relatively minimal consequences, such as lost time and resources.\r\nThe victims in these, however, face a more significant loss and are left grappling with substantial financial and\r\nreputational damage.\r\nWhen it comes to negotiations, the victim is the sole decision-maker. While entering negotiation and paying a\r\nransom is often considered the least favorable choice, there are instances where the victim might consider this\r\noption to save a business from more substantial damage. Both companies and actors are aware of this dynamic.\r\nActors identify the vulnerabilities they can exploit and strategically leverage them.\r\nLockBit, with its history of numerous attacks on high-profile entities, introduces another layer of complexity with\r\nits internal structure and recent developments in negotiation rules within the group. Understanding this shift is\r\nessential to carefully evaluate the approach to mitigating ransomware attacks if they occur.\r\nThe key takeaway from this analysis is the recognition that each LockBit case can be inherently unique, primarily\r\ndue to the internal organizational structure. One of the most distinguishing factors is that affiliates who are\r\nresponsible for the breach itself are also the ones behind negotiations. What does it mean? Every time a negotiator\r\nengages in a new case, they might deal with a different individual.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 12 of 15\n\nThe human factor, encompassing psychological nuances and varying experience levels, significantly influences\r\nthe negotiation process. Therefore, affected entities must adapt and navigate these variables effectively to enhance\r\ntheir chances of a successful resolution in the complex landscape of mitigating LockBit attacks.\r\nAnalyst1 continues to monitor the ransomware ecosystem and LockBit’s further development.\r\nAbout Analyst1\r\nThreat intelligence teams often struggle to bridge the gap from insight to action. Analyst1 is the Orchestrated\r\nThreat Intelligence Platform designed to resolve this issue. It automatically organizes threat data, links it to your\r\nassets and vulnerabilities, and customizes views for different roles. Analyst1’s orchestration layer streamlines\r\nworkflows and automates reliable actions by integrating with SIEM, ticketing, and vulnerability management\r\nsystems. From Fortune 500 financial institutions to national security agencies, enterprises trust Analyst1 to unify\r\ntheir defenses, significantly reducing their response time from days to minutes.\r\nAppendix\r\nTranslation. Figure #10\r\nThis is a very important social survey, please read it very carefully and vote.\r\nThe experience of affiliates and the rank of attacked companies can be quite different from case to case. One\r\naffiliate might ask ransom of 10% of the company’s yearly turnover, for example, $2 million USD is paid in\r\nransom while revenue is $10 million USD. Another affiliate who is less experienced and desperately needs money\r\nmight accept 0.00005% of yearly revenue. We have cases when companies paid $100 thousand USD in ransom\r\nwhile their revenue is $2 billion USD.\r\nRecovery companies then put their statistics together and try to repeat their accidental success to negotiate lower\r\namounts. It is just luck for them due to the lack of discipline and agreement on the amount of payout inside our\r\naffiliate program. In my opinion, it affects future negotiations for all the affiliates, well-experienced ones who\r\nhave already made a lot of money and those who received a small payout and are now waiting for a larger one.\r\nNew affiliates and those who haven’t made much money often agree to a lower ransom up to 90% of the initially\r\nrequested amount. Because of this, other affiliates are suffering, including those who don’t accept lower amounts.\r\nThese better-experienced affiliates who don’t give large discounts then must deal with recovery companies who\r\nthink it is okay to ask for a 90% cut. Because of all this, deals don’t go through and often fall into two scenarios:\r\naffiliates leaking the victim’s data or negotiators dragging the process for a long time, hoping to get a discount.\r\nThe goal of this survey is to get all of us on the same page and establish new rules of negotiation tactics including\r\ninitial ransom amount and allowed discount percentage.\r\nWe are going to consider every single opinion. New rules are going to help to improve this situation and establish\r\nransom payouts at the highest level possible. You can propose your idea or vote for one of the following solutions:\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 13 of 15\n\n1. Leave everything as it is. Affiliates establish their own rules with no restrictions, as it always has been.\r\n2. Establish a minimum ransom request depending on the company’s yearly revenue, for example at 3%, and\r\nprohibit discounts of more than 50%. Thus, if the company’s revenue is $100 million USD, the initial ransom\r\nrequest should start from 3 million USD with the final payout must be no less than $1,5 million USD.\r\n3. Do not apply any restrictions on the minimum amount required as it depends on the damage inflicted on the\r\nvictim. However, the maximum discount shouldn’t be more than 50%. For example, if the initial ransom is set to be\r\n$1 million USD, affiliates can’t accept any payments less than $500 thousand USD.\r\n4. Prohibit any payments less than the amount the victim is insured by if you could find cyber insurance.\r\n5. Prohibit any payments less than 50% of the amount the victim is insured by if you could find cyber insurance.\r\n6. Other proposals you have in mind.\r\nYour opinion is very important and I’m looking forward to hearing any proposals. If you think that my proposal is\r\nwrong or I missed something, share your ideas on how to maximize our income and continue to build wealth.\r\nTranslation. Figure #11\r\nDue to the fact that newbies or those who urgently need money take relatively small amounts from large\r\ncompanies, less than the figures recommended below, and thus harm other more experienced affiliates and the\r\naffiliate program, creating precedents, on the basis of which recovery companies keep statistics of payments and\r\ntry to get the same small amounts from experienced affiliates, a collective vote was held on the introduction of new\r\nrules. According to the results of the collective voting, based on the majority of votes, it was decided to introduce a\r\nnew mandatory rule, which is strictly forbidden to violate.\r\nThanks to this rule, no one will disturb anyone, and everyone except the recovery companies will be happy. From\r\nOctober 1, 2023, it is strictly forbidden to discount more than 50% of the originally requested amount in\r\ncorrespondence with the attacked company during the negotiation process. For those who have a steely character,\r\nknow how to determine the ransom amount that a company will pay with a high probability and almost never\r\nmake large discounts please keep this rule in mind and adjust the ransom amount with the size of the maximum\r\nallowable discount. The ransom amount is still set at your discretion in whatever amount seems fair to you.\r\nHowever, based on the study of many successful and profitable deals, when the pentester’s work is done perfectly,\r\na lot of valuable data is downloaded and all backups are destroyed, it is recommended to stick to the following\r\nfigures:\r\ncompanies with revenue up to $100 million pay from 3% to 10%\r\ncompanies with revenue up to $1 billion pay from 0.5% to 5%\r\ncompanies with revenue of more than $1 billion pay from 0.1% to 3%\r\nPlease strictly follow the rules and try to adhere to the recommendations as much as possible.\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 14 of 15\n\nSource: https://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nhttps://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://analyst1.com/blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules/"
	],
	"report_names": [
		"blog-negotiating-with-lockbit-uncovering-the-evolution-of-operations-and-newly-established-rules"
	],
	"threat_actors": [],
	"ts_created_at": 1775434866,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a42b4c090f2f3f5a6a5bc9e7f387d0f0bed0b3e9.pdf",
		"text": "https://archive.orkl.eu/a42b4c090f2f3f5a6a5bc9e7f387d0f0bed0b3e9.txt",
		"img": "https://archive.orkl.eu/a42b4c090f2f3f5a6a5bc9e7f387d0f0bed0b3e9.jpg"
	}
}