Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Princess Locker Ransomware Support & Help Topic - !_HOW_TO_RESTORE_[ext].html


  • Please log in to reply
13 replies to this topic

#1 mcgilvrayb

mcgilvrayb

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 27 September 2016 - 10:43 PM

Hi,
Seems we got hit with some nice friendly ransomware.. i've since isolated the machine (its a virtual machine anyway) and moved all operations to a new server and restored what I can so far from backups but I would love to try and identify what ransomwhere it is as its not being detected by the discovery page.
 
Case numbers below:
 
Please reference this case SHA1: 4332606e88460bddbdfa6ecce5b2b40750c1ac69 
Please reference this case SHA1: f51d6ee0631aecf7b1872544ecae9fb9ee5fa1a7 
 
I only have one real file i'm trying to recover (and the "one free" file they offer do decrypt on the ransom page results in a server error.. and no way i'd consider paying anyway, yet alone if they can't prove it..LOL)
 
It reads similar to others i've been seeing on this forum but is also different. any help would be appreciated.

BC AdBot (Login to Remove)

 


m

#2 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 28 September 2016 - 12:42 AM

try here to determine the encrypted file and the note for redemption

 

https://id-ransomware.malwarehunterteam.com/identify.php



#3 mcgilvrayb

mcgilvrayb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 28 September 2016 - 12:50 AM

try here to determine the encrypted file and the note for redemption

 

https://id-ransomware.malwarehunterteam.com/identify.php

I tried that one, which is how I generated those case numbers. Unfortunately it did not pick which version it was.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:18 PM

Posted 28 September 2016 - 06:07 AM


Are there any obvious file extensions appended to or with your data files?

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data was encrypted.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 28 September 2016 - 08:17 AM

No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'

 

I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.

 

Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".

 

https://twitter.com/demonslay335/status/781122627054206976

 

We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


Edited by Demonslay335, 28 September 2016 - 08:29 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 mcgilvrayb

mcgilvrayb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 28 September 2016 - 08:36 PM

 

No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'

 

I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.

 

Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".

 

https://twitter.com/demonslay335/status/781122627054206976

 

We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

 

I have just submitted it for analysis. I'm 99.9% sure thats the one that caused the problems. Came in an email attachment, disguised as a fedex email.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:18 PM

Posted 29 September 2016 - 04:19 AM

Introducing Princess Locker Ransomware
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 29 September 2016 - 08:56 AM

That was a Nemucod dropper sample that drops the PHP variant of Nemucod's own ransomware. Afraid it was not Princess Locker.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 mcgilvrayb

mcgilvrayb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 29 September 2016 - 05:52 PM

That was a Nemucod dropper sample that drops the PHP variant of Nemucod's own ransomware. Afraid it was not Princess Locker.

Bummer. I'm working on the machine through remote desktop as its a long way away. I'll take a backup of the drives and get it shipped down to me so I can examine it on an isolated system.



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 16 November 2016 - 03:20 PM

Victims may have hope, hasherezade is working on a decrypter.

 

https://twitter.com/hasherezade/status/798979874455257088


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:18 PM

Posted 16 November 2016 - 04:37 PM

That's promising news.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 mcgilvrayb

mcgilvrayb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 16 November 2016 - 09:09 PM

Victims may have hope, hasherezade is working on a decrypter.

 

https://twitter.com/hasherezade/status/798979874455257088

 

Some good news hopefully.

 

I've only just had the hard drives delivered to me from our remote site and I can't find the bloody ransomware on the drive which makes me think either the virus scanner canned it, it was run from somebodys usb,  the person who run it had deleted it (or was purged from their internet temp files when they logged out). Its good news somebody else found a copy to play with. Even better if they have a working decryptor, it means the few files which were not in the last nights backup can be recovered without too much data loss.

 

I would have loved to had done a file recovery on the drive, but they are hosted on virtual drives in HyperV and too much had been overwritten by the time I got called in on the job. It looked like it simply deleted the files after creating the encrypted copys.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 16 November 2016 - 10:57 PM

@All

 

If anyone has been affected by this ransomware, please share a few encrypted files, and you will receive private help.  :thumbup2:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 18 November 2016 - 11:42 AM

hasherezade has released a full tool for victims to decrypt their files, she also added the ability to decrypt folders.

 

https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/

 

Thanks to hasherezade for her work as always.  :clapping:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users