A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums.

As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware. One method being used to distribute the ransomware is through the RIG Exploit Kit, which was discovered by TrendMicro.

Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.

Princess Evolution promoted through underground criminal sites

The Princess Evolution Ransomware is a Ransomware as a Service. This means that the developer recruits affiliates to distribute the ransomware and for every payment made, the developer earns 40% of the payment and the affiliate gets the remaining 60%.

These types of arrangements allow the developer to earn revenue by supporting and developing the ransomware program, while the affiliates can focus on its distribution to victims.

The Princess Evolution Ransomware affiliate program is being promoted through underground criminal forums where the developer creates topics about recruiting people to their RaaS.

Princess Evolution Recruitment Post

Princess Evolution Recruitment Post

These posts go on to show the various features that the RaaS has to offer including the revenue splits, the support model, its configuration options, and more.

RaaS Features
RaaS Features

Princess Evolution being distributed through exploit kits

According to a report by TrendMicro, the Princess Evolution ransomware has been seen being distributed through the RIG Exploit Kit. These exploit kits are installed on hacked sites and exploit vulnerabilities on visitor's computers to install the ransomware without their permission or even knowledge.

Network Traffic from Exploit Kit
Network Traffic from Exploit Kit (Source: TrendMicro)

As this is a RaaS with potentially many affiliates, it may also be distributed via other methods used by different distributors.

How Princess Evolution encrypts a computer

When started, Princess Evolution will create two safety checks that make it so Princess Locker can't be executed on the same machine more than once. The first check is to create a mutex called "hoJUpcvgHA" and a file at %AppData%\MeGEZan.VDE. If either of these are detected, the ransomware will not run.

This was discovered by security researcher Valthek after he analyzed the ransomware.

If Princess Evolution is able to run, it will communicate with the Command & Control server over UDP as shown below. According to TrendMicro, it will transmit the username of the infected computer, name of network interface, the OS version, victim, encryption key, and more.

Princess Evolution Network Traffic via UDP
Princess Evolution Network Traffic via UDP

After sending information, it will begin to scan drives for files to encrypt. For each victim, it will create a unique random extension that it uses when encrypting files on the computer. For example, when I tested the ransomware, the random extension that was used is .7kfsAJ and was appended to all the files that were encrypted.

Princess Evolution Encrypted Folder
Princess Evolution Encrypted Folder

As it encrypts files, it will also create three ransom notes in each folder called (_H0W_TO_REC0VER_[extension].url, (_H0W_TO_REC0VER_[extension].txt, and (_H0W_TO_REC0VER_[extension].html. The text and html ransom notes contain links to the TOR payment site and the victim's unique ID. The URL file will open up the TOR payment site.

Princess Evolution Ransom Note
Princess Evolution Ransom Note

As previously stated, Princess Evolution cannot be decrypted for free at this time. If you need more info about this ransomware or wish to discuss it with your peers, you can use our dedicated Princess Evolution Support & Help topic.

Princess Evolution TOR payment site

The Princess Evolution TOR payment site is used by victims to get information on how to pay the ransomware, the ransom amount, the ability to decrypt one file free, and various instructions. For my test install, the ransomware amount was .12 bitcoins or approximately $750 USD.

This TOR payment site is one of the nicer ones we  have seen in a long time. The opening page contains an animated image as shown below.

TOR front page image
TOR front page image

Once you click on the page, you will be presented with a login form where a victim can enter their unique victim ID from their ransom notes. Once a user logs in, they will be presented with a payment site that contains numerous pages including a free decryption page.

Decrypt one file for free

Other pages include a help page, instructions on how to purchase bitcoins, and information on what happened to the victim's files.

How to protect yourself from Princess Evolution

In order to protect yourself from ransomware, the most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. Also as this particular ransomware is being distributed via exploit kits, make sure you update all of your installed programs, including Windows, to the latest security updates.

You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not download cracks as they are major source of infections.
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.


IOCs

Hashes:

b4f05277bafc06af87fccb02a444e5a22b3760f98c05bf0f6cf5344da7faa543

Associated Files:

(_H0W_TO_REC0VER_[extension].url
(_H0W_TO_REC0VER_[extension].txt
(_H0W_TO_REC0VER_[extension].html
%AppData%\MeGEZan.VDE

HTML Ransom Note Text:

Your ID: 6drjPe45b0qw0IwQ
Your extension: 7kfsAJ
QAaMhY
Your files are encrypted!
Download and install Tor Browser: 

http://www.torproject.org/download/download-easy.html

And follow this link via Tor Browser: 

http://royal666k6zyxnai.onion/




Or use this alternative in any exceptional cases: 

http://royal666k6zyxnai.tor2web.top/

Related Articles:

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New FilesLocker Ransomware Offered as a Ransomware as a Service

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment