Princess Ransomware

The Princess Ransomware is a file-locking Trojan that encrypts the local media of your PC and holds it hostage until you pay a Bitcoin ransom. Its symptoms also include randomizing the extensions of these files and dropping multiple copies of its ransom instructions in different locations, such as the desktop. Let your anti-malware products remove the Princess Ransomware from an infected PC, and keep backups on another computer for the safest and easiest data recovery from an attack.

A Royal Problem for Your File System

Independent researchers brought attention to a new Ransomware-as-a-Service (RaaS) campaign recently, which its threat actors are marketing on black hat Web forums. This Trojan, the Princess Ransomware (which is not an update of the reminiscent Princess Locker Ransomware), secures its payload with a remote server-stored decryption application and uses a conventional cryptography technique for blocking different files. Its victims are forced to pay Bitcoins, but malware experts have yet to gather details of the ransom's size, which the 'partner' threat actor can configure to an arbitrarily-determined value.

The Princess Ransomware is under a megabyte in size and is C-based software that's compatible with most Windows environments, including 64-bit ones. Like most of the other file-locker Trojans that malware experts examine, this threat uses the format of the files it targets for determining whether or not to 'lock' them with AES encryption and prioritizes ones that it can block quickly, such as DOCs, PDFs or JPGs. Unlike most of the competing Trojans, however, the Princess Ransomware uses a random extension instead of a predetermined one for flagging the media visually and appends a string of four to six randomly-selected characters.

Other features worth noting in the Princess Ransomware include:

• The Princess Ransomware secures its encryption routine with a unique key for every attack so that the users can't recover their files with a 'one size fits all' decryption solution.
• It also implements the TOR's anonymity features for protecting its Command & Control server communications, as well as handling some aspects of the ransoming process, which includes website support in multiple languages.
• The Princess Ransomware drops its Bitcoin-ransoming instructions in several places, including the local desktop and any folders that contain any of the files that the Trojan is holding hostage.

Protecting Your Files from Subservience to a Bitcoin-Hoarding Princess

Due to the third-party partnership-based structure of all RaaS businesses, the Princess Ransomware's distribution methods can vary drastically between different infections. Zero-day exploit-abusing scripts running through websites, such as the Nebula Exploit Kit or the Angler Exploit Kit, can drop file-locking threats of this nature onto random or targeted Web traffic. Torrents and other file-sharing resources also are periodically implicated in similar attacks. Respecting targeted attempts at locking media, victims often compromise their PCs by opening corrupted e-mail attachments or leaving their RDP settings insecure.

The Princess Ransomware includes some defenses against traditional AV solutions, and its authors are marketing it as having 'absolute scan time purity' for limiting its detectability. However, most file-locker Trojans' campaigns include similar and unsubstantiated boasts about their capabilities for evading security software. Whether or not it avoids the initial detection, always let your anti-malware programs remove the Princess Ransomware from your computer, since its presence may coincide with infections by other threats, such as a Trojan with remote-downloading features.

Criminals could be asking for a fraction of a single Bitcoin or a much worse price than that for the Princess Ransomware's decryptor. Regardless of whether it's cheap or costly, paying this ransom doesn't bring the victim any closer to recovering their files necessarily since the threat actors always can take the money and run.