// Context
About This Negotiation
This transcript documents a trinity ransomware negotiation with 0004.
The negotiation consisted of 170 messages exchanged over Unknown.
The initial ransom demand was $15,000. The final outcome is not confirmed in the transcript.
// Primary Source
Full Transcript — Verbatim
Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.
Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at
enquiries@binary-response.com — we will act promptly.
[0004] — — Message 1/170
Hello, We have a ransomware infection. How do I ㅐ it?
[0004] — — Message 2/170
We have a ransomware infection. What should I do?
[trinity] — — Message 3/170
hello
[trinity] — — Message 4/170
you want to decrypt how many computers?
[0004] — — Message 5/170
Three recovery PCs have been identified.
[0004] — — Message 6/170
We need three recoveries.
[trinity] — — Message 7/170
recovery price 0.5
bitcoin for 1 PC, 3pc=1.5 bitcoin after payment you will receive the
decryption program which will automatically decrypt all files bitcoin
wallet [redacted]
[trinity] — — Message 8/170
when can I expect payment from you?
[0004] — — Message 9/170
The annual sales are
about 600 million won and the net profit is about 30 million won. The
amount you mentioned is the amount we have to collect over five years.
We could go bankrupt. We want to negotiate. Please save our company.
[trinity] — — Message 10/170
we can offer a price for 3pc 1 bitcoin if you pay today
[0004] — — Message 11/170
In terms of dollars, $4500,000 is the profit and $25,000 is the net profit.
[0004] — — Message 12/170
We don't have any
expenses. We only have $10,000 in our bank account. It's a [redacted]
production company, but there's a lot of outstanding money...
[0004] — — Message 13/170
In terms of dollars,
$450,000 is the profit and $25,000 is the net profit. We don't have
any expenses. We only have $10,000 in our bank account. It's a [redacted]
production company, but there's a lot of outstanding money...
[trinity] — — Message 14/170
I've spoken to the management we can accept $15,000 for 1 PC. if you pay at once
[0004] — — Message 15/170
Please lower it a little bit. We need to get a loan and it's tomorrow weekend. Please.
[trinity] — — Message 16/170
$39,000 for 3 PCs final offer we lowered it a little bit like you asked. It's $13,000 for 1 PC.
[0004] — — Message 17/170
Thank you so much.
But we have to get loans as I told you. One can be possible, but we need
a lot of time to recover. Can you spend time?
[trinity] — — Message 18/170
we are waiting for
payment, 0.61 bitcoin to the above wallet. Do not delay the payment
process as we have given you a big discount my boss can cancel the
contract and discount if you delay.
[trinity] — — Message 19/170
bitcoin wallet [redacted]
[trinity] — — Message 20/170
0.61 bitcoin
[0004] — — Message 21/170
As I said, I don't
have money right now. And it's the weekend... I can't even go to the
bank. Finally, give me a discount and plenty of time.
[trinity] — — Message 22/170
All right, we're waiting. but don't drag it out.
[trinity] — — Message 23/170
when can I expect a bitcoin transfer from you?
[0004] — — Message 24/170
[REDACTED URL]
[0004] — — Message 25/170
We are sending you 2 ransomware infected files. Request you to do test recovery.
[0004] — — Message 26/170
[REDACTED URL]
[0004] — — Message 27/170
I'm sorry, but I'd like to recover the two files contained in the url above.
[trinity] — — Message 28/170
ok
[trinity] — — Message 29/170
[trinity] — — Message 30/170
when will you pay after the test?
[trinity] — — Message 31/170
you'll pay right after the test?
[trinity] — — Message 32/170
we're waiting to hear back from you and do a test
[0004] — — Message 33/170
It's difficult because it's the weekend. I need a day or two.
[trinity] — — Message 34/170
[REDACTED URL]
[trinity] — — Message 35/170
[REDACTED URL]
[trinity] — — Message 36/170
[REDACTED URL]
[trinity] — — Message 37/170
we're waiting for payment.
[0004] — — Message 38/170
Data recovery has
been validated. I'd like to ask you a favor. I have 13,000 dollars. So I
would like to restore just one server first this weekend. Can you
recover to 0.018 btc first And two days later, I would like to apply
for a loan from the bank on Monday and restore the other two as well.
[trinity] — — Message 39/170
we negotiated
$39,000 and gave you a discount. fulfill the terms of the agreement you
can wire us $13,000. to lock in the price and the discount today. While
you take the credit, we'll prepare the decryptors. Don't change the
terms of the agreement.
[trinity] — — Message 40/170
[redacted]
[trinity] — — Message 41/170
or we'll refund the original price 0.5 bitcoin per 1 pc.
[trinity] — — Message 42/170
we keep our word and we ask you to keep yours
[0004] — — Message 43/170
It's a little hard to understand. If I send $13,000, will you send me 1 recovery key first?
[trinity] — — Message 44/170
if you send $13,000
we'll start preparing three decryptors for you. but we'll only ship
them to you after you've paid the full $39,000. if you want to restore 1
pc, the price will be 0.5 bitcoin please respect the original
agreements
[trinity] — — Message 45/170
[trinity] — — Message 46/170
show us your intent send $13,000 today
[0004] — — Message 47/170
Please wait a moment. I'm borrowing money now.
[trinity] — — Message 48/170
ok
[0004] — — Message 49/170
[redacted]
[0004] — — Message 50/170
0.61 right?
[trinity] — — Message 51/170
now39000$ 0.62
[trinity] — — Message 52/170
[trinity] — — Message 53/170
bitcoin fell
[0004] — — Message 54/170
Oh... We are preparing 0.61. Please, 0.61 btc.
[trinity] — — Message 55/170
ok pay
[0004] — — Message 56/170
Thank you, I think it will take about an hour or two. How long does it take for us to pay the btc and receive the recovery tool?
[0004] — — Message 57/170
please check money 0.61BTC
[0004] — — Message 58/170
TxID: [redacted]
[0004] — — Message 59/170
TxID: [redacted]
[0004] — — Message 60/170
Sorry TxID: [redacted]
[trinity] — — Message 61/170
send us one file from each of the three computers you want to recover.
[0004] — — Message 62/170
[REDACTED URL]
[0004] — — Message 63/170
[REDACTED URL]
[0004] — — Message 64/170
here file
[trinity] — — Message 65/170
ok
[trinity] — — Message 66/170
Please stand by. the boss will come and we'll send you three decoders.
[0004] — — Message 67/170
ok i'm waiting
[trinity] — — Message 68/170
30-40 min
[0004] — — Message 69/170
ok Thanks
[trinity] — — Message 70/170
before decryption Make copies of important files just in case password :123 run as administrator
[trinity] — — Message 71/170
[REDACTED URL]
[trinity] — — Message 72/170
if you want to decrypt all other files we are ready to make a very big discount. all other PCs for $11,000.
[0004] — — Message 73/170
Can you tell me how to use it?
[trinity] — — Message 74/170
before decryption Make copies of important files just in case
[trinity] — — Message 75/170
unzip
[trinity] — — Message 76/170
password :123
[trinity] — — Message 77/170
run as administrator
[trinity] — — Message 78/170
the program decrypts all files automatically
[0004] — — Message 79/170
The file has been recovered, but it's all broken. I'd like to get the recovery tool again.
[trinity] — — Message 80/170
[REDACTED URL]
[trinity] — — Message 81/170
if some files have not been decrypted send us some files
[0004] — — Message 82/170
Got into trouble. Program keeps turning off during early morning recovery... How do I fix the problem?
[trinity] — — Message 83/170
program shuts down with an error? what do you mean?
[0004] — — Message 84/170
I'm not sure. Only cd drive comes out of the black window and the window disappears
[trinity] — — Message 85/170
are you running as an administrator? Did the files decrypt?
[0004] — — Message 86/170
I decrypt a few and the program just turns off. After that, it just keeps turning off.
[trinity] — — Message 87/170
try changing
compatibility mode right-click on the program properties compatibility
mode and check the box compatibility with windows 7/8
[0004] — — Message 88/170
[REDACTED URL]
[0004] — — Message 89/170
I am sending you the data again from 3 servers. Please send it to the recovery key that has been confirmed to operate normally.
[trinity] — — Message 90/170
Хорошо Пожалуйста, подождите.
[trinity] — — Message 91/170
okay Please stand by.
[trinity] — — Message 92/170
[REDACTED URL]
[trinity] — — Message 93/170
we had no trouble deciphering it. try copying the files to an external drive and run it on another computer.
[trinity] — — Message 94/170
[REDACTED URL]
[0004] — — Message 95/170
I really appreciate the support. Thank you so much. I'll try again.
[trinity] — — Message 96/170
ok
[0004] — — Message 97/170
20 to 30 GB of database corruption... is there a fix?
[trinity] — — Message 98/170
didn't decrypt the files?
[0004] — — Message 99/170
1. It's been restored, but it's damaged. 2. Some materials are not recovered.
[trinity] — — Message 100/170
how big is the file?
[trinity] — — Message 101/170
[REDACTED URL] download here
[trinity] — — Message 102/170
upload the corrupted file here and upload 1 file that was not recovered
[trinity] — — Message 103/170
the .trinitylock is gone?
[0004] — — Message 104/170
I'll let you know
our problem. 1. Some files cannot be recovered 2. Recovered, but the
file does not open We don't know what to do.
[0004] — — Message 105/170
[REDACTED URL]
[0004] — — Message 106/170
I'm sending you 5gb data. Please help.
[0004] — — Message 107/170
please help me
[trinity] — — Message 108/170
waiting please
[0004] — — Message 109/170
ok thanks!!!!!
[trinity] — — Message 110/170
there's a different encryption key you didn't pay for this ID.
[0004] — — Message 111/170
We sent the data from the same computer. Where can I check the key you are talking about?
[0004] — — Message 112/170
We paid for 3 keys,
but we only received 1 recovery key. Shouldn't you give us 2 more keys?
It's only 10% recovery... We can go out of business. Please help
[trinity] — — Message 113/170
so there were network drives This is a different key. Let's decrypt all your computers. if you pay the $13,000.
[trinity] — — Message 114/170
the first time you sent the files [redacted] [redacted] [redacted] [redacted]
[trinity] — — Message 115/170
4 ID we made a decrypter on them.
[trinity] — — Message 116/170
now you've sent files with the ID [redacted]
[trinity] — — Message 117/170
all your ID
[redacted] [redacted] [redacted]
[redacted] [redacted] [redacted]
[redacted] [redacted]
[trinity] — — Message 118/170
you can see the file IDs through the HEX editor, at the end of each file
[trinity] — — Message 119/170
you have to pay extra for other IDs $13,000 and we'll decrypt all your IDs. same wallet
[0004] — — Message 120/170
[REDACTED URL]
[0004] — — Message 121/170
We don't know how to look at it. Can I test this? And please let me know your ID for this.
[trinity] — — Message 122/170
[redacted].zip.trinitylock [redacted]
[trinity] — — Message 123/170
[redacted]_LIST_202403.zip.trinitylock [redacted]
[trinity] — — Message 124/170
you'll have to pay extra for another ID we'll make a decrypter
[0004] — — Message 125/170
Is it the same ID as the 5g we sent you?
[0004] — — Message 126/170
[redacted]
For this, I would like to restore only one. Can you give me a quarter
of a dollar And I'd like to test the zip file.
[trinity] — — Message 127/170
13000$ 1 ID
[trinity] — — Message 128/170
Is it the same ID as the 5g we sent you? YES [redacted]
[0004] — — Message 129/170
1id? Aren't you
going to give me all the rest of the keys? We hope to lower the cost
further. Please, I really don't have any money...
[trinity] — — Message 130/170
13000$ all ID
[trinity] — — Message 131/170
0.22 btc
[0004] — — Message 132/170
We really don't have any money, so we have to save it. I can get it tomorrow. Please give me a little discount one more time.
[trinity] — — Message 133/170
13000$ for all id
[0004] — — Message 134/170
We are borrowing money again. But $13000 is too much. Is $8000 possible? Please
[trinity] — — Message 135/170
price 13000$
[0004] — — Message 136/170
How many coins is 13000 dollars?
[trinity] — — Message 137/170
0.21
[trinity] — — Message 138/170
[redacted]
[0004] — — Message 139/170
please check money 0.21BTC
[trinity] — — Message 140/170
Please stand by.
[trinity] — — Message 141/170
send 2 files from each PC you want to recover
[0004] — — Message 142/170
[REDACTED URL] One is the file I sent you
[trinity] — — Message 143/170
Please stand by.
[0004] — — Message 144/170
[REDACTED URL]
[0004] — — Message 145/170
here all file
[trinity] — — Message 146/170
ok
[0004] — — Message 147/170
How long will it take?
[trinity] — — Message 148/170
waiting boss
[trinity] — — Message 149/170
[REDACTED URL]
[trinity] — — Message 150/170
Sorry for delay
[trinity] — — Message 151/170
password:123
[0004] — — Message 152/170
[REDACTED URL] We can't even restore it. Please tell me how to do this.
[trinity] — — Message 153/170
min
[trinity] — — Message 154/170
Please stand by.
[0004] — — Message 155/170
How long will it take?
[trinity] — — Message 156/170
waiting boss
[0004] — — Message 157/170
We'll wait.
[trinity] — — Message 158/170
Sorry for delay
[0004] — — Message 159/170
Not yet? How much longer do I have to wait... Please help.
[trinity] — — Message 160/170
Sorry for delay waiting please
[0004] — — Message 161/170
ok
[0004] — — Message 162/170
please help me
[0004] — — Message 163/170
I can't recover it, what should I do?
[trinity] — — Message 164/170
Sorry for delay waiting please
[trinity] — — Message 165/170
how many files didn't decrypt?
[trinity] — — Message 166/170
how many files didn't decrypt?
[0004] — — Message 167/170
90% Unrecoverable
[trinity] — — Message 168/170
90 percent of only 1 ID? Did the other IDs decrypt normally?
[trinity] — — Message 169/170
?
[trinity] — — Message 170/170