Princess Locker

Princess Locker targets Windows OS and its current method of distribution is unknown. It appends a random extension to encrypted files and creates a unique victim ID. Princess Locker creates and displays ransom notes named !_HOW_TO_RESTORE_[extension].TXT and !_HOW_TO_RESTORE_[extension].html. Victims are required to use Tor to gain access to the payment site and the site allows victims to decrypt one file for free. The ransom payment demand is 3 Bitcoin.

UPDATE 2/16/2017: A new version drops a ransom note named @_USE_TO_FIX_JJnY.txt.

UPDATE 8/31/2017: A new malvertising campaign is spreading Princess Locker/PrincessLocker ransomware using the RIG exploit kit. The version in this campaign drops a ransom note named _USE_TO_REPAIR_[random ID].html and demands a ransom payment of 0.077 Bitcoin.

UPDATE 8/15/2018: A new version, dubbed Princess Evolution, is being marketed on the dark web as a ransomware-as-a-service (RaaS). This version creates three ransom notes in each folder labeled (_H0W_TO_REC0VER_[extension].url, (_H0W_TO_REC0VER_[extension].txt, and (_H0W_TO_REC0VER_[extension].html. At the time of writing, there is no free decryption tool available for Princess Evolution.  

  • Bleeping Computer provides more information about Princess Locker here.
  • An independent security researcher provides a free decryption tool for Princess Locker here.