Pr1ncess Locker Ransomware
Pr1ncess Locker, also referred to as Princess, is a ransomware tool sold as-a-service (MaaS) to affiliates through a number of dark net forums.
As with most other MaaS tools, Pr1ncess Locker can be distributed in which ever way an affiliate sees fit, but has been observed being delivered primarily via exploit kit or spam campaigns.
Once on a device, Pr1ncess Locker will attempt to delete Shadow Volume Copies and other backup files before encrypting all local non-system files that match a list of targeted extensions. Most variant use AES-128 encryption although newer versions may use AES-256.
For further information
How To Remove Pr1ncess Locker Ransomware
Back in 2016 the polish security researcher Hasherezade has found a way to help victims of the Princess Locker ransomware by cracking the ransomware’s encryption system and releasing a free decryptor. Please note that this only works with the first version of Princess Locker, The current version of this ransomware is improved and no longer decryptable – Full details here
Domain Names To Block
Note that some of these domain names appear to be genuine sites, so please observe caution when blocking.
| 163[.]com |
| adf[.]ly |
| adpenguin[.]biz |
| anointernet[.]com |
| anti-spyware-101[.]com |
| aol[.]com |
| asecuritystuff[.]com |
| bit[.]ws |
| coolsearchsystem[.]com |
| cryptexplorer[.]us |
| decryptservice[.]info |
| dr[.]com |
| enigmasoftware[.]com |
| esolutions[.]lt |
| fastsupport[.]com |
| fbdownloader[.]com |
| fluxsearch[.]com |
| freelinuxmail[.]org |
| freespeechmail[.]org |
| imail[.]com |
| india[.]com |
| infernedenrdjmj3[.]onion |
| keemail[.]me |
| loadoages[.]com |
| mail[.]com |
| mail[.]ru |
| protonmail[.]com |
| royal25fphqilqft[.]onion |
| royall6qpvndxlsj[.]onion |
| search-results[.]com |
| searcheh[.]com |
| searchlock3[.]com |
| searchonme[.]com |
| sigaint[.]org |
| softnate[.]com |
| storify[.]com |
| torproject[.]org |
| virusai[.]lt |
| yandex[.]ru |
IP Addresses
| 131[.]253[.]61[.]70 |
| 185[.]198[.]164[.]152 |
| 188[.]225[.]84[.]28 |
| 22[.]5[.]0[.]22 |
| 52[.]5[.]98[.]73 |
| 86[.]102[.]59[.]146 |
Email Addresses
| [.]uk-dealer@sigaint[.]org |
| 4chr4f@exploit[.]im |
| age_empires@india[.]com |
| batman_good@aol[.]com |
| bitcoinrush@imail[.]com |
| calipso[.]god@aol[.]com |
| cocoslim98@gmail[.]com |
| cyber_baba2@aol[.]com |
| decryptallfiles3@india[.]com |
| decryptallfiles@india[.]com |
| diablo_diablo2@aol[.]com |
| digitalkey@163[.]com |
| doctor@freelinuxmail[.]org |
| fantomd12@yandex[.]ru |
| file-help@india[.]com |
| gerkaman@aol[.]com |
| help@decryptservice[.]info |
| helpme@freespeechmail[.]org |
| ihurricane@sigaint[.]org |
| lavandos@dr[.]com |
| love[.]server@mail[.]ru |
| makdonalds@india[.]com |
| matrix9643@yahoo[.]com |
| opencode@india[.]com |
| raa-consult1@keemail[.]me |
| rescuers@india[.]com |
| safeanonym14@sigaint[.]org |
| santa_helper@protonmail[.]com |
| savepanda@india[.]com |
| sos@anointernet[.]com |
| space_rangers@aol[.]com |
| suppteam01@india[.]com |
| thedon78@mail[.]com |
| xbotcode@gmail[.]com |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.