Severity scale:  
  (99/100)

Princess Locker ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Princess Locker developers now play big – RIG exploit kit joins forces

Image showing Princess Locker payment site

Princess Locker virus emerged in autumn of 2016[1]. Even though its name is royal, there’s nothing majestic about this crypto-virus. It’s another file-encrypting virus that a little bit remind us of Cerber ransomware[2].

Her highness Princess Locker ransomware use filthy distribution techniques and one it steps in the computer, it starts encrypting files using AES encryption. Then it demands the ransom for the data recovery. It seemed that it would be hard for malware researchers to create a free decryption tool because malware generated a unique file extension for every victim.

However, researchers managed to crack ransomware’s code and offered a free data recovery solution. Therefore, if your files have been affected, you should remove Princess Locker from the computer and restore your files!

Once all files are locked, the ransomware creates and saves ransom notes in two different formats: !_HOW_TO_RESTORE_[the unique file extension].TXT and !_HOW_TO_RESTORE_[the unique file extension].HTML. The latest one is called as @_USE_TO_FIX_JJnY.txt. Once opened, these files greet the victim with a large line: Your files are encrypted!

The following information consists of the ID of the victim, the unique file extension that is appended to encrypted files, and explanation on how to decrypt the corrupted data. The virus provides traditional ransomware instructions – the victim needs to install Tor browser and access a particular .onion website, which is known as “the payment site.”

Now this is where things get suspicious. The payment website seems to be a copy of Cerber’s payment website, just with the “Princess” logo on it. Just like Cerber, it provides 12 different languages to choose from, asks to enter victim’s ID to access the payment site, and then presents the following information:

Your files are encrypted!

It means that your files have been transformed on a structural level and became inaccessible. In order to be able to access them again, you have to transform them back to the original state. This can be done only with the help of special software – «Princess Decryptor» which can be purchased only on this website. Each copy of «Princess Decryptor» works individually for each pair ID + Extension. Therefore, you have to purchase your own one as any other user whose files have also been encrypted. We accept only Bitcoin.

The virus asks for a very large sum of money – 3 Bitcoins. Such amount of money approximately is equal to 1812 USD. The virus does not allow the victim to save up money – the ransom should be paid within the time limit; otherwise, the price of the decryptor will double. Princess Locker wants to prove that its intentions are real, so it allows the victim to test the decryptor by uploading one encrypted file.

The website unlocks the file and provides a healthy file version for the victim. If Princess Locker malware has encrypted your files, please, do not waste your money by paying the ransom. This would only fuel up criminals’ efforts and allow them to continue their activities.

Besides, a malware analyst known as hasherezade has created a Princess Locker decryption software that can help you to get your files back for free. For more information about this decryptor, see data recovery instructions (provided at the end of this post). Meanwhile, remove Princess Locker virus with a strong anti-malware tool like Reimage or Malwarebytes Anti Malware. Detailed Princess Locker removal instructions are presented below this article.

 As soon as malware researchers released a free decryption tool, the rumors about Princess Locker 2.0 version appearance began. Updating and releasing new versions of the powerful viruses is quite common activity. Princess Locker has been known as a hazardous and widely spread computer infection, so the chances that then new version of the malware will attack soon are quite big.

Besides, this file-encrypting virus belongs to a Ransomware-as-a-Service group, so there’s a huge possibility that other hackers are interested in renting and modifying this malware as well. We can expect new versions of this royal virus attacking computer users, so it’s impossible to protect your personal files and make data backups.

They will be helpful if Princess Locker 2.0 virus attacks your computer. Keep in mind that recently discovered decryption tool probably will not be able to recover files encrypted by the newest malware versions. So, it’s better to stay safe than sorry. However, if you encountered malware, do not hesitate and remove Princess Locker 2.0 from the computer immediately.

2017 August Update: Princess Locker emerges again 

Since malware experts managed to crack Princess Locker's code and find a way to go around the ransom-payment system with a free decryption tool, authors of this virus rushed to fix flaws in the ransomware code that led to a discovery of a free decryption tool.

The appearance of the new variant hasn't been changed. It also uses the same name for the ransom note – !_HOW_TO_RESTORE_[victim's ID].txt and appends the same ID as a new file extension to every encrypted file. The ID is a mixture of of 4-6 characters of random letters and digits. However, researchers are aware of Princess Locker 2.0 virus already and currently making every effort to crack the malicious code again.

If you have been infected with Princess Locker virus but you do not know which version is it, try the decryption tool suggested below. If the tool doesn't generate the decryption tool within a few minutes, most likely you have been hit by Princess Locker 2 ransomware. In such case, we suggest you remove Princess Locker virus, back up encrypted data and stay patient. An updated decrypter can be released anytime soon.

The story of this malware might resemble the case of CryptXXX when the felons and IT researchers continuously play the game of cat-and-mouse. Similarly, besides fixing the flaws in the source code, now developers decided to draw a trump card – RIG exploit kit.  

Specifically, the hacking tool is laced in certain websites. If users visit them, they risk accelerating  PrincessLocker 2.0 installation. Specifically, this exploit is based on Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2015-8651) vulnerabilities[3].

The attack is also associated with 188.225.84.28 IP address. After the encryption process is done, the malware leaves _USE_TO_REPAIR_[random number].html file with further instructions. At the moment, the crypto-virus demands 0.0770 bitcoins which amounts to $368.

Transmission peculiarities strategies

Just like Cerber or any other ransomware, Princess Locker virus is believed to be distributed via email, malware-laden ads and exploit kits[4]. The virus can drop its payload on the system after opening a malicious email attachment. Be aware that malicious file attachments are designed to look safe – criminals rename files as “invoice,” “speeding_ticket,” “test_results” or similarly[5].

The main way of preventing ransomware attacks is to avoid suspicious emails sent from unknown individuals. Another way of downloading malware is careless clicking on phony ads and browsing through questionable websites. Beware of malicious redirects that can throw you onto harmful web pages that contain exploit kits!

However, we understand that even the most careful users can be deceived by delusive techniques that criminals use. The most secure way to defend your computer from malware attacks is to install a reliable anti-malware tool.

Eliminate Princess Locker malware from Windows 

Princess Locker virus is a highly dangerous computer infection, so please do not try to remove it manually. We recommend you to run a powerful malware remover[6] and allow it to find and remove files that belong to this virus. If you need advice which program to choose, we recommend Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

Besides, if you have been infected with Princess Locker 2.0 ransomware or other its versions, these tools should be able to help you to eliminate malware from the system. Once Princess Locker removal is completed, look at data recovery options provided below.

Fortunately, malware researchers managed to crack ransomware's code and created a free decryption tool. If you have been infected with updated or modified ransomware's version, probably you wouldn't be able to decrypt your files using this tool. In this case, check additional data recovery methods below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Princess Locker ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Princess Locker ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Princess Locker virus Removal Guide:

Remove Princess Locker using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Princess Locker

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Princess Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Princess Locker using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Princess Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Princess Locker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Princess Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Do not pay the ransom. The decryptor offered by criminals is very expensive; however, there is no guarantee that it works. Besides, criminals can send you another malicious program together with the so-called decrypter. Instead, use a decryption program created by an experienced malware analyst. You can find instructions how to use it and its download link below. 

If your files are encrypted by Princess Locker, you can use several methods to restore them:

Decrypt your files with Data Recovery Pro

You can try to restore files encrypted by Princess Locker ransomware with Data Recovery Pro. Instructions on how to use this tool are provided below.

Use Princess Locker Decryptor

This decryptor consists of two programs – decryptor and keygen. Firstly, you will need to use the keygen to find out what is the decryption key. You need to have a copy of an original file (find it in your USB, email, CD, or DVD) and the same encrypted file. You will also need to know your unique victim's ID number and the file extension that virus has appended to your files. You will need to enter the exact name of the encrypted file, then the name of the original file, added extension, and (optional) your unique victim's ID into the keygen. If your antivirus has deleted the ransom note, and you do not know what your victim's ID is, just provide the file extension – the only problem is that this decryption method requires more time. Download the Princess Locker decryptor here. If you want to know how to use it properly, watch an informative video here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Princess Locker and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages


  • mohawk

    Princess Locker… yeah right. Cyber criminals are crafty arent they

    • Kim

      Thats sweet. A virus pretends to be a princess and silently encrypts your files. The virus should be called Witch Locker instead.

  • Jolia

    Cant open my files but after reading this I realized that this is exactly what this virus seeks to do… This virus asks too much money I cant afford to pay the ransom even if I wanted. Its sad that I have to say goodbye to my files but oh well.

    • Arye34

      dont pay these filthy criminals, nobody should. this is the only way to stop them!