Princess Locker Ransomware Support & Help Topic - !_HOW_TO_RESTORE_[ext].html

Hi,
Seems we got hit with some nice friendly ransomware.. i've since isolated the machine (its a virtual machine anyway) and moved all operations to a new server and restored what I can so far from backups but I would love to try and identify what ransomwhere it is as its not being detected by the discovery page.
 
Case numbers below:
 
Please reference this case SHA1: 4332606e88460bddbdfa6ecce5b2b40750c1ac69 
Please reference this case SHA1: f51d6ee0631aecf7b1872544ecae9fb9ee5fa1a7 
 
I only have one real file i'm trying to recover (and the "one free" file they offer do decrypt on the ransom page results in a server error.. and no way i'd consider paying anyway, yet alone if they can't prove it..LOL)
 
It reads similar to others i've been seeing on this forum but is also different. any help would be appreciated.

try here to determine the encrypted file and the note for redemption

 

https://id-ransomware.malwarehunterteam.com/identify.php

try here to determine the encrypted file and the note for redemption

 

https://id-ransomware.malwarehunterteam.com/identify.php

I tried that one, which is how I generated those case numbers. Unfortunately it did not pick which version it was.

Are there any obvious file extensions appended to or with your data files?

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data was encrypted.

No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'

 

I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.

 

Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".

 

https://twitter.com/demonslay335/status/781122627054206976

 

We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Edited by Demonslay335, 28 September 2016 - 08:29 AM.

 

No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'

 

I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.

 

Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".

 

https://twitter.com/demonslay335/status/781122627054206976

 

We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

 

I have just submitted it for analysis. I'm 99.9% sure thats the one that caused the problems. Came in an email attachment, disguised as a fedex email.

Introducing Princess Locker Ransomware

That was a Nemucod dropper sample that drops the PHP variant of Nemucod's own ransomware. Afraid it was not Princess Locker.

That was a Nemucod dropper sample that drops the PHP variant of Nemucod's own ransomware. Afraid it was not Princess Locker.

Bummer. I'm working on the machine through remote desktop as its a long way away. I'll take a backup of the drives and get it shipped down to me so I can examine it on an isolated system.

Victims may have hope, hasherezade is working on a decrypter.

 

https://twitter.com/hasherezade/status/798979874455257088

That's promising news.

Victims may have hope, hasherezade is working on a decrypter.

 

https://twitter.com/hasherezade/status/798979874455257088

 

Some good news hopefully.

 

I've only just had the hard drives delivered to me from our remote site and I can't find the bloody ransomware on the drive which makes me think either the virus scanner canned it, it was run from somebodys usb,  the person who run it had deleted it (or was purged from their internet temp files when they logged out). Its good news somebody else found a copy to play with. Even better if they have a working decryptor, it means the few files which were not in the last nights backup can be recovered without too much data loss.

 

I would have loved to had done a file recovery on the drive, but they are hosted on virtual drives in HyperV and too much had been overwritten by the time I got called in on the job. It looked like it simply deleted the files after creating the encrypted copys.

@All

 

If anyone has been affected by this ransomware, please share a few encrypted files, and you will receive private help. 

hasherezade has released a full tool for victims to decrypt their files, she also added the ability to decrypt folders.

 

https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/

 

Thanks to hasherezade for her work as always.