Princess Locker targets Windows OS and its current method of distribution is unknown. It appends a random extension to encrypted files and creates a unique victim ID. Princess Locker creates and displays ransom notes named !_HOW_TO_RESTORE_[extension].TXT and !_HOW_TO_RESTORE_[extension].html. Victims are required to use Tor to gain access to the payment site and the site allows victims to decrypt one file for free. The ransom payment demand is 3 Bitcoin.
UPDATE 2/16/2017: A new version drops a ransom note named @_USE_TO_FIX_JJnY.txt.
UPDATE 8/31/2017: A new malvertising campaign is spreading Princess Locker/PrincessLocker ransomware using the RIG exploit kit. The version in this campaign drops a ransom note named _USE_TO_REPAIR_[random ID].html and demands a ransom payment of 0.077 Bitcoin.