Today we will introduce you to the Princess Locker ransomware so you can see how these infections behave to the end user, and be prepared if you become a victim of it.
For the story, the Princess Locker ransomware was discovered by Michael Gillespie. It encrypts the victim's data and then demands an exorbitant ransom starting at 3 bitcoins (about $1.800 dollars), to hand over a decryptor to the victim. If the payment is not made within the specified time space, then the ransom payment is doubled to 6 bitcoins.
We don't know much about the structure of the Princess Locker, except for some encryption archives and the ransom messages uploaded to ID-Ransomware. From the up to date data, we report that when a person is infected, the ransomware will encrypt the victim's files, then append a random extension to the encrypted files and finally create a unique identifier, different for each victim. Identifier, extension, and encryption are probably sent to the ransomware server.
Ransomware messages contain the victim's ID and links to TOR payment areas where the victim should be logged in to see the payment information.
The Princess Locker payment page is a standard ransomware website without any special features. When the victim enters this site, he will see the logo and the ability to select one of the available 12 languages.
After selecting the language, you will see a login prompt where you must enter the ID given to the ransom note. Once logged in, you will see the main payment page, which contains information such as the amount of the ransom, bitcoin address to send the payment, and ready answers to frequently asked questions.
The payment site also provides the option to decrypt 1 file for free. Unfortunately, since we don't have a sample of the ransomware, and we don't have a computer that we could intentionally infect, we don't know if this feature it works or not.
The whole construction is quite professional. The only thing that may be missing from the payment site is a support page that can cause the victims to contact malware developers !!!. But if this ransomware infects enough people, we should not be surprised to see this possibility.
