Today we will introduce you to the Princess Locker ransomware so you can see how these infections behave to the end user, and be prepared if you become a victim of it.
For the story, the Princess Locker ransomware was discovered by Michael Gillespie. Encrypts victim data and then requires a huge amount of ransom from 3 bitcoins (about $ 1.800 dollars) to deliver to the victim a decryptor. If the payment is not made in the specified time, then the ransom payment is doubled to 6 bitcoins.
We don't know much about the structure of Princess Locker, except από μερικά κρυπτογραφημένα archives and the ransom messages uploaded to ID-Ransomware. From the up to date data, we report that when a person is infected, the ransomware will encrypt the victim's files, then append a random extension to the encrypted files and finally create a unique identifier, different for each victim. Identifier, extension, and encryption are probably sent to the ransomware server.
The ransomware messages contain the victim's ID and links to TOR payment sites where the victim will have to log in to view the data payment.
The Princess Locker payment page is a standard ransomware website without any special features. When the victim enters this site, he will see the logo and the ability to select one of the available 12 languages.
Μετά την επιλογή της γλώσσας θα εμφανιστεί μία προτροπή σύνδεσης όπου πρέπει να εισάγει το ID που του είχε ανακοινωθεί στο σημείωμα με τα λύτρα. Μόλις συνδεθεί, θα δει την κύρια ιστοσελίδα πληρωμής, η οποία περιέχει πληροφορίες όπως το ποσό των λύτρων, τη address bitcoin για να στείλει την πληρωμή, και έτοιμες απαντήσεις σε συχνές ερωτήσεις.
The payment site also provides the ability to decipher 1 file for free. Unfortunately, since we do not have a sample of ransomware, and we do not have a computer that we could deliberately pollute, we do not know whether this feature works or not.
The whole construction looks quite professional. The only thing that might be missing from the payment site is a support page where victims can contact its developers malicioussoftware!!!. But if the ransomware in question infects enough people, we shouldn't be surprised to see this feature as well.