A security researcher from Poland – Hasherezade – has released a Princess Locker ransomware decryptor, which has been made available for victims of the ransomware to use free of charge.
Princess Locker ransomware is currently being offered to cybercriminals on darknet marketplaces under a ransomware-as-a-service model. While not one of the most prevalent forms of ransomware, it still posed a significant threat until the release of the Hasherezade’s Princess Locker ransomware decryptor.
Princess Locker ransomware has been around for some time, but since it has not been used as part of major campaigns and few security firms have been able to analyze the malicious software due to the difficulty in obtaining a sample.
According to Hasherezade, the ransomware uses a similar template for its onion page as Cerber ransomware, although the mode of operation is different. Princess Locker is also a much simpler form of ransomware, which suggests the authors are less experienced than the developers of Cerber and may not have developed the ransomware from scratch.
Hasherezade discovered a way to crack the encryption system used by the ransomware. In order for the decryptor to determine the key used by the ransomware, it is necessary to supply one file in both its encrypted and unencrypted forms to the keygen. Alternatively, it is possible to use the decryptor if bpoth copies are not supplied, although to do so would require one of the following encrypted file formats to be supplied: doc, docx, xls, xlsx, ppt, pdf, gif, or png.
Instructions for decrypting a computer that has been locked with Princess Locker, along with the files for doing so, can be downloaded on this link.
Hasherezade now believes a new form of the ransomware has been released. Unfortunately, the Princess Locker decryptor will only work for the older versions of the ransomware.