Decryptor Available for Princess Locker Ransomware

D

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
princess-header.png


Polish security researcher Hasherezade has found a way to help victims of the Princess Locker ransomware by cracking the ransomware's encryption system and releasing a free decryptor.

Princess Locker is a ransomware family that appeared at the end of September and was made available as a Ransomware-as-a-Service, rentable via a Dark Web portal.

The ransomware was never at the center of a massive distribution campaign, but the crooks behind it made some victims regardless, who remained locked out of their files.

Keygen and decrypter available for download
After spending a few days looking at the ransomware's mode of operation, Hasherezade announced yesterday on Twitter that she finally found a way to recover files locked by this threat.

The decryption package can be downloaded from this Google Drive page. The archive should contain the following files:

PrincessTools.png


The two main files are PrincessKeygen and PrincessDecrypter. Both files are CLI tools, so you'll need to open a command-line interface (cmd.exe) and navigate to the folder where these two files are located.

The first one you should run is PrincessKeygen. As the name hints, this is a tool to extract the encryption key used to lock your files. To run this file, from a cmd.exe window inside the tool's folder, you should type the following command structure:

Code: 
PrincessKeygen.exe [encrypted file] [original file] [added extension] [*unique id]

Where:
[encrypted file] - the name of the encrypted file, which you must place in the same folder as the PrincessKeygen.exe file.
[original file] - the name of the same encrypted file, but in an unencrypted, original version, which as well, you must place in the same folder as the PrincessKeygen.exe file. You can recover these files from backups, older emails, or online file storage portals. One file is enough. In case you don't have an unencrypted copy of a locked file, you can use one of the sample files Hasherezade provided in the headers.zip file
[added extension] - the random characters added as file extensions at the end of each encrypted file
[unique id] - a random string of characters included in the ransom note at "Your ID." This is an optional parameter and Hasherezade says the keygen will work without it, but will take longer to produce results.

princess_keygen.png

Using PrincessKeygen.exe (via Hasherezade)


Once you have the encryption key, you can move along to the decryption process. In a similar cmd.exe window, type in the following command:

Code: 
PrincessDecryptor.exe [key] [added extension] [*file/directory]

Where:
[key] - the key generated by the keygen
[added extension] - the random characters added as file extensions at the end of each encrypted file. Same as in the step before
[*file/directory] - optional parameter to decrypt certain files or certain folders only

Full article with video and in-depth analysis : Decryptor Available for Princess Locker Ransomware
 
Last edited:
  • Like
Reactions: Fritz, Der.Reisende, Deleted member 2913 and 3 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

First time I hear of this ransomware.

I never received any sample on my special e-mail account ... may be it is targeting companies :

- 3 bitcoins ($1,800 USD), really an important amount of money :D
- 6 bitcoins after counter expires :rolleyes:

The pink webpage is so ... lovely :p
 
Last edited:
  • Like
Reactions: Fritz, Der.Reisende, Deleted member 2913 and 2 others
W

Wave

DardiM said:
6 bitcoins after counter expires
Click to expand...
$3,600 USD... A lot of money indeed. At least they aren't asking for $100,000+ or those companies will really be messed over if it was completely necessary for them to get their files back within a short manner of time, although still risky at the same time (since someone who has infected your system should never be trusted further to handle large amounts of money and then be obliged to give you back what they promised in return... After all, they lost your trust when they infected you and messed up your work).

Although, in these scenarios the solution is a backup of the data... Companies should always have multiple, regular backups, which are being safely secured in multiple areas (e.g. say on case an attacker gains access to some of the backups, then there are still more, maybe even stored offline (and then it'd have to be an inside job for those to be manipulated some way or another)).
 
  • Like
Reactions: Fritz, Der.Reisende, Deleted member 2913 and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Free Key Group ransomware decryptor helps victims recover data
Replies
0
Views
995
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Applause
    • +Reputation
Security News Online ransomware decryptor helps recover partially encrypted files
Replies
0
Views
810
Security News
Gandalf_The_Grey
Gandalf_The_Grey
vtqhtr413
    • Like
    • +Reputation
Security News New Black Basta decryptor exploits ransomware flaw to recover files
Replies
0
Views
1,413
Security News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top