Princess Evolution Ransomware Virus – How to Remove and Restore Files

Princess Evolution Ransomware Virus – How to Remove and Restore Files

This article has been created to explain what is Princess Evolution ransomware and how you can effectively remove it from your computer plus how you can attempt and recover files, that have been encrypted by it.

A new version of Princess ransomware, naming itself Princess Evolution has been detected by malware researcher demonslay335. The ransomware virus slithers unnoticed on the user’s computer and shortly after that encrypts the important files in it. The virus then leaves behind the files unopenable with a random file extension. Alongside the files, the malware also drops a ransom note, called
^_READ_TO_RE5T0RE_{file extension}.html, which asks victims to download the Tor browser and go to the Tor web page of the cyber-criminals. If your computer has been infected by Princess Evolution ransomware we recommend that you read this article completely.

Threat Summary

NamePrincess Evolution
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the infected computer and then leave behind a ransom note asking the victim to pay ransom to get them back.
SymptomsThe ransomware leaves the files no longer able to be opened with a random file extension and a ransom note, called “^_READ_TO_RE5T0RE_.txt” and “^_READ_TO_RE5T0RE_.html
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Princess Evolution


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Princess Evolution.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Princess Evolution Ransomware – Distribution

In order for this ransomware virus to be spread, the malware may start to be seen as a form of e-mail attachment that is sent to the computers of users, pretending to be a legitimate document, from the likes of:

  • Invoice.
  • Receipt.
  • Online banking statement.
  • Some form of confirmation letter.
  • Suspicious account activity report.

In reality, the attachment is the infection file of Princess Evolution ransomware and may contain the malicious payload of the virus that is likely infecting via Rig Exploit Kit.

Furthermore, another method via which this ransomware may infect computers is as a result of visiting a comrpomised website, which is rigged to push the exploit kit to your computer.

Another possible method of this malware entering your computer system is by having it downloaded while believing it is a legitimate program. Such programs often tend to imitate:

  • Patches.
  • Software license activators.
  • Online banking statement.
  • Cracks.
  • Key generators (keygens).
  • Portable versions of programs.

The Princess Evolution virus is being distributed as a Raas (Ransomware-as-a-service) via a hacker underground marketplace. This means that a certain hacker or criminal collective is offering the stock version or a custom version of it. This means that every version can have a different attack behavior and distribution methods. Affiliate infection schemes can distribute the revenue between the creators and the hackers.

Princess Evolution Ransomware – Activity

Once on your computer, this ransomware virus may create various types of malicious files and folders on your computer. They may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocaLow%
  • %Roaming%
  • %Temp%

Similar to it’s previous variant, Princess Evolution ransomware may then connect to it’s Command and Control server and transmit the following information:

  • AES-128 private decryption key.
  • File extension as a unique identifier.
  • User name.
  • The name of the network interface.
  • The system locale ID (LCID).
  • OS type and version.
  • The name of any security software that might be installed.

The malware, then may add registry entries in the Run and RunOnce Windows registry sub-keys, that have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the Princess Evolution ransomware may also make it possible to easily notice it’s ransom note files, both of which have the following messages for victims:

Your files are encrypted!

Download and install Tor Browser:

And follow this link via Tor Browser:

Or use this alternative in any exceptional cases:


The tor web page of Princess Evolution welcomes the user with the following well-made animation and the following ransom note:

The ransomware virus may also execute the following commands with the main goal of deleting any backed up shadow copies from the victim’s computer:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Princess Evolution Ransomware – Encryption Process

For the encryption process of the Princess Evolution ransomware to take place, the virus may first scan the infected computers of victims for the following file types:

→ .1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml

When the files, encrypted by tis virus are already damaged, it adds a random file extension which it also adds to the ransom note files it creates. The extension is believed to serve as an identificator for the victimised machine.

Remove Princess Evolution Ransomware and Restore Encrypted Files

If you want to remove the Princess Evolution Ransomware from your computer, we recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal instructions. If manual removal is not something you feel confident in doing, we strongly suggest what most malware removal experts would advise you to do and that is to use an advanced anti-malware program in order to automatically remove Princess Evolution ransomware from your computer. Downloading and installing such program will make sure that your computer is fully cleaned up and remains protected in real-time against threats, like Princess Evolution in the future as well.

Ransomware viruses, like Princess Evolution aim to encrypt files with the aid of advanced encryption. The AES-128 cipher has been used in this case and the malware aims to encrypt portions of the files, while generating a unique decryption key. This key is also heavily encrypted, so if you want to restore files, encrypted by Princess Evolution, at the moment there is no direct solution. You can however use one of the alternative methods for file recovery in step “2. Restore files, encrypted by Princess Evolution” below. They may not be 100% working, but with their aid, you may be able to restore as many encrypted files as possible.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share