Researchers have discovered that last year’s (2016) ransomware have crawled its way again to the cyber-world – PrincessLocker Ransomware.

The PrincessLocker Ransomware was first discovered on September 2016 as a light-threat ransomware. It was first discovered on darkweb forums. Princess Locker encrypts a victim’s data and then demands a large ransom amount of 3 bitcoins, or approximately $1,800 USD, to purchase a decryptor. If payment is not made in the specified timeframe, then the ransom payment doubles to 6 bitcoins.

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

The PrincessLocker ransomware is being distributed via a highly automated exploit kit called RIG. Exploit kits function by placing attack software on websites.

The said ransomware spreads wherein attackers try to lure victims to the sites, where their browsers get pummeled via drive-by attacks designed to exploit known vulnerabilities in browsers and browser plug-ins.

The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.

Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called _USE_TO_REPAIR_[a-zA-Z0-9].html where [a-zA-Z0-9] is a random identifier.

The following image is an example of the displayed new extension:

Princess locker ransomware

Still, it is not yet clear how widespread PrincessLocker infections might be. However, users are strongly advised to avoid visiting unknown websites and precariously follow hyperlinks.

Additionally, browsers and browser plug-in developers should focus on eliminating the vulnerabilities, for these play a vital role for the effectiveness of ransomware such as PrincessLocker. Exploiting these flaws in that software would potentially give attackers full control of the machine, including the ability to install additional malware. As usual, infected users are urged not to pay the demanded ransoms.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *