Michael Gillespie has stumbled upon a new piece of ransomware, dubbed Princess Locker. It encrypts its victims` files and then asks for a huge ransom sum for the decryption key – 3 Bitcoins ($1,800). Like this is not bad enough, if the victim doesn’t pay in the specified timeframe, the ransom doubles to 6 Bitcoins.
At this point, the researchers have only seen a couple of locked by Princess files and a few ransom notes uploaded to ID-Ransomware. From what they have managed to discover we understand that when the ransomware infects a victim, it encrypts their data and appends a random extension at the end of it. The Princess Locker also creates a unique ID for each victim, which, together with the extension and the encryption, is later sent to the C&C server of the ransomware.
The ransom notes contain the newly created ID as well as a link to the TOR-based payments website, where the targeted user is supposed to log in and see more detailed information about the payment. The payment site itself is standard and doesn’t have any special features. Once a victim loads it they will see a page asking them do select a language to continue. This page is almost an exact copy of the Cerber’s language selection page.
After they have selected a language the victims will be asked to log in, using the ID they have received in the ransom note. Once logged in they will see the actual payment site with all the information like the ransom sum, which is demanded, the bitcoin address and the answers to some frequently asked questions.
The Princess Locker developers also give the victim the opportunity to decrypt one of their files for free as a proof the decryptor is working properly. However, since no samples of this ransomware are available at the moment, the experts are not sure if this feature is actually working.
Furthermore, the experts noticed that one important feature is missing from the payment site after all. It is the support page, which the victims could use to get in touch with the Princess Locker authors. The researchers assume that if the developers start to widely distribute their threat, they will add a supports page for contacts as well.
