Remove Princess Locker V2 and Restore .cRtG, .fyust, .aknT0I Files

Remove Princess Locker V2 and Restore .cRtG, .fyust, .aknT0I Files

Malware researchers have recently discovered Princess Locker and what appears to be a second version. The methods of infection are still unknown, but the payload file is named ran.exe as submitted from various samples. Victims have a few days to pay the ransom, or the price will double, exactly like the previous version. The asked ransom price is 0.0600 Bitcoins. Read this article to the end to see how to remove the virus and try to decrypt your files.

Threat Summary

NamePrincess Locker V2
Short DescriptionThe ransomware will encrypt your files and display a ransom note. You are given a few days to pay, otherwise the ransom price will increase.
SymptomsThe ransomware will encrypt files, and put an extension to them. The extension consists of five random symbols, just like it was with the previous version of the ransomware.
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by Princess Locker V2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Princess Locker V2.

Princess Locker V2 Virus – Infection Spread

The Princess Locker ransomware virus is possibly spread with an Exploit Kit if it follows suit of the original variant. Other methods for distributing the infection probably exist. It might spread through spam emails with an attachment. If you open such an attachment put in a suspicious e-mail, your computer could get infected. Social media networks and file-share services could also contain files like those if the cybercriminals decided to place them there. So, you should be very careful with the interactions you make on the Internet, such as when you click, download or open unknown files.

Below you can see the payload file that distributes the ransomware on VirusTotal:

The file is named ran.exe and is also present in other threat detection databases. Most antivirus programs detect it already, probably because of the similarity between its code and that of the original variant.

Princess Locker V2 Virus – Technical Data

Princess Locker is a ransomware cryptovirus. The ransomware has the same design, encryption mechanism and similar file distribution tactics as the original variant of the Princess Locker Ransomware Virus.

When Princess Locker ransomware finishes encrypting files it will place an image and a text document containing the ransom note with decryption instructions inside. The text document file bares one of the following names:

  • =_THIS_TO_FIX_cRtG.txt
  • =_THIS_TO_FIX_fyust.txt
  • = _THIS_TO_FIX_aknT0I.txt

Below you can see the contents of one of these ransom note files:

The note states the following:

hpeECbqS CqXdyb qhBGhoryp
Your ID: U2WbVAYRDcaMQxxx
Your extension: cRtG
() Your files are encrypted!
(kBFflrEv) Download and install Tor Browser:
() Follow this link via Tor Browser:

If you click on the latter link, which are given on there you will land on the following page inside your browser:

You enter your ID and as you do that you will see a counter pop up showing that you have only a few days remaining to pay the initial price. That price is 0.0600 Bitcoins or around 545 US dollars. After that small time frame of a week expires, the demanded ransom will increase.

It is strongly NOT advised to pay any of the sums to the cybercriminals – if you pay them, there is absolutely no guarantee that you will decrypt your files. You will only end up financially supporting them with your money with their criminal endeavors.

Princess Locker V2 Virus – Encryption Process

Princess Locker V2 ransomware should search to encrypt files with extensions such as its previous variant. The extension list might be even more extensive than the one provided below, but the following extensions are surely to be encrypted:

→.1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml

If the Princess Locker ransomware is anything like its predecessor, files should be locked with the 128-bit AES encryption algorithm. Researchers have confirmed that files and their extension will not be changed. However, the extension that will be appended to files with five random characters will be placed as a secondary extension.

Below you can see a page on the TOR network, connected to the decryption instructions of the ransomware which allow you to decrypt a file up to 1 MB:

It is still unknown whether the Princess Locker ransomware virus can erase the Shadow Volume Copies of the Windows operating system, but there is a pretty high chance of that.

Remove Princess Locker V2 Virus and Restore Your Files

If your computer got compromised and is infected with the Princess Locker ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share