// Ransomware Negotiation Transcript

trinity Ransomware Negotiation — 0007

36Messages
UnknownDuration
$70,000Initial Demand
UnknownOutcome
// Context

About This Negotiation

This transcript documents a trinity ransomware negotiation with 0007. The negotiation consisted of 36 messages exchanged over Unknown.

The initial ransom demand was $70,000. The final outcome is not confirmed in the transcript.

// Primary Source

Full Transcript — Verbatim

Reproduced from Casualtek's Ransomchats archive. URLs have been redacted.

Victim names are shown only where the breach was publicly reported in mainstream media. Any organisation wishing their name redacted can contact us at enquiries@binary-response.com — we will act promptly.
[0007] — — Message 1/36
hello
[0007] — — Message 2/36
hello
[trinity] — — Message 3/36
hello
[0007] — — Message 4/36
what do we have to do to acces our files ?
[trinity] — — Message 5/36
Please say your network domain
[0007] — — Message 6/36
i sent you email to
[trinity] — — Message 7/36
Yes I see
[0007] — — Message 8/36
what info do you need ?
[trinity] — — Message 9/36
[redacted] ?
[0007] — — Message 10/36
idd
[trinity] — — Message 11/36
your network?
[0007] — — Message 12/36
[redacted] is correct
[trinity] — — Message 13/36
Price for decrypt 70000$ in bitcoin amount
[0007] — — Message 14/36
ok, i'm talking with management
[0007] — — Message 15/36
is there any garantee tht we can decrypt all files ?
[0007] — — Message 16/36
i see the VHDX files are only 3GB and the were much bigger ..
[trinity] — — Message 17/36
We have been working for several years and all our clients have received their key. You can send us up to 10 files for the test decrypt, but these files should not contain important information
[0007] — — Message 18/36
ok, and my VHD files will decrypt as wel ? they were +1TB in size and now only 3GB
[trinity] — — Message 19/36
Yes
[trinity] — — Message 20/36
Inside the hard disk these files have normal size
[0007] — — Message 21/36
In order to proceed, my manager requires a due dilligence step that protects us from liability, and that is to obtain proof that you have our sensitive files before we can consider payment. For that reason, can you provide the cleartext copy of the "[redacted]_V10_13_8_GP.ZIP" file located in the "C:\Users\Administrator\Downloads" folder on one of the encrypted servers.
[trinity] — — Message 22/36
we don't loan out valuable files for testing for the test send 1-2 files (1-5 mb) not backup and database
[trinity] — — Message 23/36
If you don't pay, we'll put your data on the leak sites. [REDACTED URL] companies/2148689972 ,and similar sites
[0007] — — Message 24/36
In order to negotiate a resolution, we would require proof of data posession, so we have asked you for a file that does not contain sensitive information (you can verify that in the file itself). We have so far not received any evidence of you posessing cleartext copies of our data. Such evidence allows me to talk to my manager, who will eventually decide on the best course of action, as we have multiple alternatives.
[trinity] — — Message 25/36
We can't provide this file to you.
[0007] — — Message 26/36
Since we cannot show our manager any proof of stolen data, we cannot argue such a high ransom demand. We do have backups which are few weeks old, but I am convinced that our manager would pay a smaller fee for decryption key in order to have the latest data in a much faster way. They are willing to offer you $10.000 for the decryption key.
[trinity] — — Message 27/36
We have already told you the price. The only way you can reduce the final price is to pay today and then we can think about a discount.
[trinity] — — Message 28/36
but 10000$ just a joke for us, you should understand it. We can make discount 10.000$ if you pay today
[0007] — — Message 29/36
I will have to take that offer to my manager. In the meantime, how can you provide proof of having a working decryption key? Can we provide you with an encrypted file and you decrypt it?
[0007] — — Message 30/36
I will have to take that offer to my manager. In the meantime, how can you provide proof of having a working decryption key? Can we provide you with an encrypted file and you decrypt it?
[trinity] — — Message 31/36
Yes, send file here [REDACTED URL]
[trinity] — — Message 32/36
Yes, send file here [REDACTED URL]
[0007] — — Message 33/36
Hereby [REDACTED URL]
[trinity] — — Message 34/36
[REDACTED URL]
[trinity] — — Message 35/36
pass 123
[trinity] — — Message 36/36
You don't use our discount offer. So the price is 70.000$ again. Tomorrow it will rise again.
// Analysis

Analyst Observations

Facing a Ransomware Demand?

Whether you choose to negotiate or refuse — having specialists in the room changes the outcome.

⚡ Contact Us Now Our Negotiations Service →