{
	"id": "1713c474-5ab9-4f60-9f8e-e0ecc4231f2f",
	"created_at": "2026-04-06T01:29:25.191419Z",
	"updated_at": "2026-04-10T03:21:43.79137Z",
	"deleted_at": null,
	"sha1_hash": "1f9b2740c1119fc1beec22eb65c6ff6c5abae7b2",
	"title": "PrincessLocker – ransomware with not so royal encryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 603740,
	"plain_text": "PrincessLocker – ransomware with not so royal encryption\r\nBy Malwarebytes Labs\r\nPublished: 2016-11-20 · Archived: 2026-04-06 00:31:03 UTC\r\nPrincessLocker ransomware has appeared some time ago and has drawn out attention by using the same template\r\nof the site for a victim as Cerber did. It is not a widespread ransomware, so it has taken some time before we got\r\nour hands on a sample. In this article, we dig deeper and try to answer questions about its internal similarities with\r\nCerber (and other known ransomware).\r\nDescribed version of the PrincessLocker ransomware is found decryptable. You can read details about file\r\nrecovery here.\r\nAnalyzed sample\r\n14c32fd132942a0f3cc579adbd8a51ed – original executable, distributed in a campaign\r\n4142a59be1f59dbd8e1be832df893d08 – unpacked: core DLL\r\nBehavioral analysis\r\nOnce executed, Princess Ransomware runs silently. It does not delete the original copy, but just encrypts all the\r\ndata in the background. After finishing the encryption, it pops up a default browser and displays the ransom note.\r\nIt drops notes in three file formats: HTML, URL shortcut, and TXT.\r\nNotes have a name following the pattern: !_HOW_TO_RESTORE_.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 1 of 10\n\nThe ransom notes guide the victim into the Tor-based page, which is intended to give more instructions about the\r\npayment and data recovery:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 2 of 10\n\nNames of the encrypted files are not changed – only new extensions are added at the end, which are randomly\r\ngenerated on each run.\r\nEvery file is encrypted with the same key, which means the same plaintext produces the same ciphertext. The\r\nfile’s content has high entropy and no patterns are visible, which suggest a strong encryption algorithm, probably\r\nAES with chained blocks. See an example below:\r\nsquare.bmp : left – original, right encrypted with Princess\r\n“\u003e\r\nNetwork communication\r\nDuring the encryption process, the application communicates with its C\u0026C, that is hosted on a Tor-based site:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 3 of 10\n\nConnections list:\r\nFirst, the malware queries the legitimate address, myexternalip.com/raw, in order to fetch the victim’s external IP.\r\nAfter that, requests are sent to the Onion-based C\u0026C. It sends sets of Base64-encrypted data.\r\nExample 1:\r\nIn the request to n.php, the ransomware posts a set of encrypted and Base64-encoded data:\r\nQQ8EZkZ_dnFldWFKCVxyWFppe2QCcFFyd15XSxRSDHxcHHNdRVtFWEBGQhRHDAMHBgsHCQABAAoVQw8GWgJXRQUDBgULF1sOBQQdA\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 4 of 10\n\nDecoded to:\r\nExample 2:\r\nIn the request to f.php, the ransomware periodically posts smaller chunks of Base64-encoded data:\r\nAfter decoding the data, we can see that it contains two values: One is the victim ID and the second is the number\r\nof files encrypted at that time.\r\nContent from the above example:\r\ndj11MGtibTF1ZTdzcmwmZj0xMTQw\r\nDecoded to:\r\nv=u0kbm1ue7srl\u0026f=1140\r\nInside\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 5 of 10\n\nLike most malware, Princess comes wrapped in the encrypted layer—a tactic that protects the malicious core from\r\nthe detection. The dropper loads the core module into its own memory (self-injection):\r\nThe core module is a DLL with two exported functions:\r\nThe export table reminds us of another ransomware: the Maktub locker:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 6 of 10\n\nThis suggests that the threat actors behind both of them are somehow connected or used the same template to\r\nbuild their product.\r\nThe unpacked DLL is not independent. It needs to be loaded via a dropper, because it calls a function from the\r\ndropper module during execution:\r\nBy this way, authors of this ransomware wanted to make analysis tougher.\r\nAttacked targets\r\nThis ransomware attacks following drive types: 2 -removable,  3 – fixed, 4 -remote:\r\nEncryption\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 7 of 10\n\nThe key is generated only once before the encrypting loop is deployed. First, a random Unicode string is\r\ngenerated. Then, it is hashed using SHA256 algorithm:\r\nBelow is a sample set of random data that was generated during one of the test sessions:\r\nkey: SHA256(L\"3igcZhRdWq96m3GUmTAiv9\") ID: wjn6kdbblpiu extension: zzqeb\r\nThe result of the hashing function is used to derive an AES 128 key:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 8 of 10\n\nThe derived key is used to encrypt content of each file in 128-byte long chunks:\r\nChunks are encrypted using the function CryptEncrypt from Microsoft Crypto API that is loaded dynamically\r\nduring execution:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 9 of 10\n\nConclusion\r\nComparative analysis of the code with Cerber has proven that although both families share the same template for\r\nthe Onion page, they do not have any significant internal similarities. PrincessLocker is way simpler, the mistake\r\ncommitted in the implementation allowed us to write a decryptor. It suggests that the authors of this malware are\r\nnot as experienced.\r\nIt is possible that this ransomware has been built using some fragments of other ransomware that authors got\r\naccess to rather than being a work of the same authors as Cerber or Maktub.\r\nIn order to not give any hints to the threat actors behind the PrincessLocker, we decided to not disclose some parts\r\nof the analysis, which could suggest how to fix the discovered bug.\r\nAppendix\r\nhttp://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/\r\n– Bleeping Computer about Princess Ransomware\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/"
	],
	"report_names": [
		"princess-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438965,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f9b2740c1119fc1beec22eb65c6ff6c5abae7b2.pdf",
		"text": "https://archive.orkl.eu/1f9b2740c1119fc1beec22eb65c6ff6c5abae7b2.txt",
		"img": "https://archive.orkl.eu/1f9b2740c1119fc1beec22eb65c6ff6c5abae7b2.jpg"
	}
}