Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Mar 2018

How to remove Princess Locker ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

Princess Locker – a ransomware virus that is still active in 2018

Image showing Princess Locker payment site

Princess Locker is a ransomware-type cyber threat that was first detected in autumn 2016.[1]. Malware researchers thought that the virus is no longer active. However, in 2018 a new variant was spotted spreading. The behavior of the virus seems to be the same. However, it uses a new ransom note called “=_HOW_TO_FIX_RQZLIN.txt” and new Tor address.

When her highness Princess Locker was discovered, it resembled the infamous Cerber ransomware[2]. However, it hasn't become as threatening as this ransomware. However, malware uses filthy distribution techniques and once it steps in the computer, it starts encrypting files using AES encryption. Then it demands the ransom for the data recovery. It seemed that it would be hard for malware researchers to create a free decryption tool because malware generated a unique file extension for every victim.

However, researchers managed to crack ransomware’s code and offered a free data recovery solution. Therefore, if your files have been affected, you should remove Princess Locker from the computer and restore your files!

Once all files are locked, the ransomware creates and saves ransom notes that can be named as:

  • !_HOW_TO_RESTORE_[the unique file extension].TXT
  • !_HOW_TO_RESTORE_[the unique file extension].HTML
  • @_USE_TO_FIX_JJnY.txt
  • =_HOW_TO_FIX_RQZLIN.txt

The information in ransom notes consists of the ID of the victim, the unique file extension that is appended to encrypted files, and explanation on how to decrypt the corrupted data. The virus provides traditional ransomware instructions – the victim needs to install Tor browser and access a particular .onion website, which is known as “the payment site.”

Now this is where things get suspicious. The payment website seems to be a copy of Cerber’s payment website, just with the “Princess” logo on it. Just like Cerber, it provides 12 different languages to choose from, asks to enter victim’s ID to access the payment site, and then presents the following information:

Your files are encrypted!

It means that your files have been transformed on a structural level and became inaccessible. In order to be able to access them again, you have to transform them back to the original state. This can be done only with the help of special software – «Princess Decryptor» which can be purchased only on this website. Each copy of «Princess Decryptor» works individually for each pair ID + Extension. Therefore, you have to purchase your own one as any other user whose files have also been encrypted. We accept only Bitcoin.

The virus asks for a very large sum of money – 3 Bitcoins. Such amount of money approximately is equal to 1812 USD. The virus does not allow the victim to save up money – the ransom should be paid within the time limit; otherwise, the price of the decryptor will double. Princess Locker wants to prove that its intentions are real, so it allows the victim to test the decryptor by uploading one encrypted file.

The website unlocks the file and provides a healthy file version for the victim. If Princess Locker malware has encrypted your files, please, do not waste your money by paying the ransom. This would only fuel up criminals’ efforts and allow them to continue their activities.

Besides, a malware analyst known as hasherezade has created a Princess Locker decryption software that can help you to get your files back for free. For more information about this decryptor, see data recovery instructions (provided at the end of this post). Meanwhile, remove Princess Locker virus with a strong anti-malware tool like FortectIntego or MalwarebytesMalwarebytes. Detailed Princess Locker removal instructions are presented below this article.

 As soon as malware researchers released a free decryption tool, the rumors about Princess Locker 2.0 version appearance began. Updating and releasing new versions of the powerful viruses is quite common activity. Princess Locker has been known as a hazardous and widely spread computer infection, so the chances that the new version of the malware will attack soon are quite big.

Besides, this file-encrypting virus belongs to a Ransomware-as-a-Service group, so there’s a huge possibility that other hackers are interested in renting and modifying this malware as well. We can expect new versions of this royal virus attacking computer users, so it’s impossible to protect your personal files and make data backups.

They will be helpful if Princess Locker 2.0 virus attacks your computer. Keep in mind that recently discovered decryption tool probably will not be able to recover files encrypted by the newest malware versions. So, it’s better to stay safe than sorry. However, if you encountered malware, do not hesitate and remove Princess Locker 2.0 from the computer immediately.

The new wave of Princess Locker attack was noticed in August 2017 

Since malware experts managed to crack Princess Locker's code and find a way to go around the ransom-payment system with a free decryption tool, authors of this virus rushed to fix flaws in the ransomware code that led to a discovery of a free decryption tool.

The appearance of the new variant hasn't been changed. It also uses the same name for the ransom note – !_HOW_TO_RESTORE_[victim's ID].txt and appends the same ID as a new file extension to every encrypted file. The ID is a mixture of 4-6 characters of random letters and digits. However, researchers are aware of Princess Locker 2.0 virus already and currently making every effort to crack the malicious code again.

If you have been infected with Princess Locker virus but you do not know which version is it, try the decryption tool suggested below. If the tool doesn't generate the decryption tool within a few minutes, most likely you have been hit by Princess Locker 2 ransomware. In such case, we suggest you remove Princess Locker virus, back up encrypted data and stay patient. An updated decrypter can be released anytime soon.Princess Locker virus leaves ransom note

The story of this malware might resemble the case of CryptXXX when the felons and IT researchers continuously play the game of cat-and-mouse. Similarly, besides fixing the flaws in the source code, now developers decided to draw a trump card – RIG exploit kit.  

Specifically, the hacking tool is laced in certain websites. If users visit them, they risk accelerating  PrincessLocker 2.0 installation. Specifically, this exploit is based on Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2015-8651) vulnerabilities[3].

The attack is also associated with 188.225.84.28 IP address. After the encryption process is done, the malware leaves _USE_TO_REPAIR_[random number].html file with further instructions. At the moment, the crypto-virus demands 0.0770 bitcoins which amounts to $368.

Malicious spam emails continue spreading ransomware virus

Just like Cerber or any other ransomware, Princess Locker virus is believed to be distributed via email, malware-laden ads and exploit kits[4]. The virus can drop its payload on the system after opening a malicious email attachment. Be aware that malicious file attachments are designed to look safe – criminals rename files as “invoice,” “speeding_ticket,” “test_results” or similarly[5].

The main way of preventing ransomware attacks is to avoid suspicious emails sent from unknown individuals. Another way of downloading malware is careless clicking on phony ads and browsing through questionable websites. Beware of malicious redirects that can throw you onto harmful web pages that contain exploit kits!

However, we understand that even the most careful users can be deceived by delusive techniques that criminals use. The most secure way to defend your computer from malware attacks is to install a reliable anti-malware tool.

Delete Princess Locker ransomware virus and decrypt your files without paying the ransom

Princess Locker virus is a highly dangerous computer infection, so please do not try to remove it manually. We recommend you to run a powerful malware remover[6] and allow it to find and remove files that belong to this virus. If you need advice which program to choose, we recommend FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

Besides, if you have been infected with Princess Locker 2.0 ransomware or other its versions, these tools should be able to help you to eliminate malware from the system. Once Princess Locker removal is completed, look at data recovery options provided below.

Fortunately, malware researchers managed to crack ransomware's code and created a free decryption tool. If you have been infected with updated or modified ransomware's version, probably you wouldn't be able to decrypt your files using this tool. In this case, check additional data recovery methods below.

4 comments

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.