Today we will introduce you to the Princess Locker ransomware so you can see how these infections behave to the end user, and be prepared if you become a victim of it.
For the story, the Princess Locker ransomware was discovered by Michael Gillespie. It encrypts the victim's data and then demands an exorbitant ransom starting at 3 bitcoins (about $1.800 dollars), to hand over a decryptor to the victim. If the payment is not made within the specified time space, then the ransom payment is doubled to 6 bitcoins.
We do not know much about the structure of Princess Locker, except for some encrypted files and ransom messages that have gone up to ID-Ransomware. From the up to date data, we report that when a person is infected, the ransomware will encrypt the victim's files, then append a random extension to the encrypted files and finally create a unique identifier, different for each victim. Identifier, extension, and encryption are probably sent to the ransomware server.
Ransomware messages contain the victim's ID and links to TOR payment areas where the victim should be logged in to see the payment information.
The Princess Locker payment site is a standard ransomware site with no special features. When the victim enters this website, they will see it logo and the possibility to choose one of the 12 available languages.
After selecting the language a prompt will appear connections where he must enter the ID that was communicated to him in the ransom note. Once logged in, he will see the main payment page, which contains information such as the ransom amount, the bitcoin address to send the payment to, and ready-made answers to frequently asked questions.
The payment website also provides the ability to decrypt 1 archive free of charge. Unfortunately, since we don't have a sample of the ransomware, and we don't have a computer that we could intentionally infect, we don't know if this feature works or not.
The whole construction is quite professional. The only thing that may be missing from the payment site is a support page that can cause the victims to contact malware developers !!!. But if this ransomware infects enough people, we should not be surprised to see this possibility.
