A new ransomware known as Princess Locker ransomware has been identified by security experts; the threat demands a ransom fee of 3 Bitcoins.
Princess Locker Ransomware Appears
Security experts have identified a new strain of ransomware that has been named Princess Locker. Some basic information is available about the threat.
The malware encrypts the victim files like every other ransomware and then appends a random file name extension to each victim file. A unique ID is associated with each target machine. This ID is then sent to the remote malicious C&C servers.
The generated unique ID can be used by the criminal perpetrators of the malware for different uses – extortion, botnet recruitment or other similar activities.
Ransom notes are created and displayed to the user. They contain the unique victim ID and links to the anonymous TOR payment sites where the victims can view the payment information. The gateway page looks almost the same as the Cerber’s language selection screen which may indicate that the ransomware shares code with the famous virus.
When the victim’s login to the site they will see information about the payment such as the amount (the ransom fee requests the sum of 3 Bitcoins), address and some frequently asked questions and their respective answers.
The payment gateway site provides the option to decrypt one file for free. At this moment there are no ransomware samples used in attack campaigns and so the researchers do not know what targets the attackers will choose. We may even see further changes to the features and behavior of the code.
However, from what we have seen so far, an obvious choice for distribution would be infected email attachments or malicious redirection links to infected binaries with the Princess locker ransomware. Whatever the case as there are some indications that it is based on the Cerber code, a decryptor could be made if the cipher is weak enough.