Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Princess Locker Virus Remove and Restore Your Files

stf-princess-ransomware-alma-main-site-page

Princess Locker virus has recently been discovered by the malware researcher Michael Gillespie. The virus looks very much alike the Alma Locker ransomware. The methods of infection are still unknown, but since this could be a variant of Alma, the RIG exploit kit is suspected to be responsible. Victims have a few days to pay the ransom, or the price will double. The asked ransom price is 3 Bitcoins. Read this article to the end to see how to remove the virus and try to decrypt your files.

Threat Summary

Name Princess Locker
Type Ransomware
Short Description The ransomware will encrypt your files and display a ransom note. You are given a few days to pay, otherwise the ransom price will double.
Symptoms The ransomware will encrypt files, and put an extension to them. The extension consists of five random symbols, just like it was with the Alma ransomware.
Distribution Method Spam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by Princess Locker

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Princess Locker.

Princess Locker Virus – Spread

The Princess Locker ransomware virus is possibly spread with the RIG Exploit Kit. Other methods for distributing the infection probably exist. It could spread through spam emails with an attachment. If you open such an attachment put in a suspicious e-mail, your PC could get infected. Social media networks and file-share services could also contain files like those if the cybercriminals decided to place them there. So, you should be extremely careful with the interactions you make on the Web, such as when you click, download or open files.

Princess Locker Virus – Technical Details

Princess Locker is a ransomware cryptovirus. According to the malware researcher, who stumbled upon it, this could very well be a new variant of the Alma Locker ransomware.

Daren Huss, a Proofpoint security researcher, who discovered the Alma Locker virus and examined it, found that there was a Command & Control server tied to it on the TOR network. The C&C server server received specific information, and it will be no wonder if the Princess Locker variant sends the same information, which is:

  • AES-128 private decryption key
  • file extension put to encrypted files
  • user name
  • the name of the active network interface
  • the system Locale ID (LCID)
  • the version of your Operating System (OS)
  • the name of your security software

When Princess Locker ransomware finishes encrypting files it will put an image with the ransom note. The file is named !_HOW_TO_RESTORE_*.TXT and you can preview its contents from the picture below:

stf-princess-ransomware-alma

If you click on any of the links, which are given on there you will land on the following page inside your browser:

stf-princess-ransomware-alma-locker-files-encrypted2

You enter your ID and as you do that you will see a counter pop up showing that you have only a few days remaining to pay the initial price. That price is 3 Bitcoins or 1,810 US dollars. After that small time frame of a few days expires, the demanded ransom will increase, doubling the price and making it 6 Bitcoins, or 3,620 US dollars, at the time of writing this article.

It is strongly NOT advised to pay any of the sums to the cybercriminals – if you pay them, there is absolutely no guarantee that you will decrypt your files. You will only end up financially supporting them with your money with their criminal endeavors.

Princess Locker ransomware will search to encrypt files with various extensions. The extension list of the Alma variant is probably only built upon, and if that is the case, the following extensions are surely to be encrypted:

→.1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml

If the Princess Locker ransomware is indeed a variant of Alma and follows logic, then the files will get locked with the 128-bit AES encryption algorithm. Researchers have confirmed that files and their extension will not be changed, although a second extension will be appended to them, with five random characters.

It is still unknown whether the Princess Locker ransomware virus can erase the Shadow Volume Copies of the Windows operating system, but there is a pretty high chance of that.

Remove Princess Locker Virus and Restore Your Files

If your computer got compromised and is infected with the Princess Locker ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.

Manually delete Princess Locker from your computer

Note! Substantial notification about the Princess Locker threat: Manual removal of Princess Locker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Princess Locker files and objects
2.Find malicious files created by Princess Locker on your PC

Automatically remove Princess Locker by downloading an advanced anti-malware program

1. Remove Princess Locker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Princess Locker
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.