A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums.
As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware. One method being used to distribute the ransomware is through the RIG Exploit Kit, which was discovered by TrendMicro.
Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.
The Princess Evolution Ransomware is a Ransomware as a Service. This means that the developer recruits affiliates to distribute the ransomware and for every payment made, the developer earns 40% of the payment and the affiliate gets the remaining 60%.
These types of arrangements allow the developer to earn revenue by supporting and developing the ransomware program, while the affiliates can focus on its distribution to victims.
The Princess Evolution Ransomware affiliate program is being promoted through underground criminal forums where the developer creates topics about recruiting people to their RaaS.
These posts go on to show the various features that the RaaS has to offer including the revenue splits, the support model, its configuration options, and more.
According to a report by TrendMicro, the Princess Evolution ransomware has been seen being distributed through the RIG Exploit Kit. These exploit kits are installed on hacked sites and exploit vulnerabilities on visitor's computers to install the ransomware without their permission or even knowledge.
As this is a RaaS with potentially many affiliates, it may also be distributed via other methods used by different distributors.
When started, Princess Evolution will create two safety checks that make it so Princess Locker can't be executed on the same machine more than once. The first check is to create a mutex called "hoJUpcvgHA" and a file at %AppData%\MeGEZan.VDE. If either of these are detected, the ransomware will not run.
This was discovered by security researcher Valthek after he analyzed the ransomware.
#princessevolution #RaaS @sisoma2 @D00RT_RM @BleepinComputer @malwrhunterteam @McAfee_Labs— Valthek (@ValthekOn) August 15, 2018
This ransomware have 2 checks in the start to avoid reinfect the machine,a mutex with the name "hoJUpcvgHA" (without quotes) and one file in %appdata% with name "MeGEZan.VDE" (no quotes).
If Princess Evolution is able to run, it will communicate with the Command & Control server over UDP as shown below. According to TrendMicro, it will transmit the username of the infected computer, name of network interface, the OS version, victim, encryption key, and more.
After sending information, it will begin to scan drives for files to encrypt. For each victim, it will create a unique random extension that it uses when encrypting files on the computer. For example, when I tested the ransomware, the random extension that was used is .7kfsAJ and was appended to all the files that were encrypted.
As it encrypts files, it will also create three ransom notes in each folder called (_H0W_TO_REC0VER_[extension].url, (_H0W_TO_REC0VER_[extension].txt, and (_H0W_TO_REC0VER_[extension].html. The text and html ransom notes contain links to the TOR payment site and the victim's unique ID. The URL file will open up the TOR payment site.
As previously stated, Princess Evolution cannot be decrypted for free at this time. If you need more info about this ransomware or wish to discuss it with your peers, you can use our dedicated Princess Evolution Support & Help topic.
The Princess Evolution TOR payment site is used by victims to get information on how to pay the ransomware, the ransom amount, the ability to decrypt one file free, and various instructions. For my test install, the ransomware amount was .12 bitcoins or approximately $750 USD.
This TOR payment site is one of the nicer ones we have seen in a long time. The opening page contains an animated image as shown below.
Once you click on the page, you will be presented with a login form where a victim can enter their unique victim ID from their ransom notes. Once a user logs in, they will be presented with a payment site that contains numerous pages including a free decryption page.
Other pages include a help page, instructions on how to purchase bitcoins, and information on what happened to the victim's files.
In order to protect yourself from ransomware, the most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. Also as this particular ransomware is being distributed via exploit kits, make sure you update all of your installed programs, including Windows, to the latest security updates.
You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
(_H0W_TO_REC0VER_[extension].url (_H0W_TO_REC0VER_[extension].txt (_H0W_TO_REC0VER_[extension].html %AppData%\MeGEZan.VDE
Your ID: 6drjPe45b0qw0IwQ Your extension: 7kfsAJ QAaMhY Your files are encrypted! Download and install Tor Browser: http://www.torproject.org/download/download-easy.html And follow this link via Tor Browser: http://royal666k6zyxnai.onion/ Or use this alternative in any exceptional cases: http://royal666k6zyxnai.tor2web.top/