# Introducing Her Royal Highness, the Princess Locker Ransomware **[bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware](https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/)** By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 28, 2016 06:42 PM 5 Today we bring you Princess Locker; the ransomware only royalty could love. First [discovered by SenseCy on darkweb forums and later by Michael Gillespie through his ID-](https://twitter.com/SenseCyBlog/status/778866702410915840) Ransomware platform, Princess Locker encrypts a victim's data and then demands a hefty ransom amount of 3 bitcoins, or approximately $1,800 USD, to purchase a decryptor. If payment is not made in the specified timeframe, then the ransom payment doubles to 6 bitcoins Not much is known about Princess Locker other than having seen a few encrypted files and [ransom notes uploaded to ID-Ransomware. From what has been gather gathered, when a](https://id-ransomware.malwarehunterteam.com/) person is infected, the ransomware will encrypt the victim's files and then append a random extension to encrypted files and a unique ID is created for the victim. This ID, extension, and encryption is then most likely sent up to the ransomware's Command & Control server. ----- Ransom notes are also created and displayed, which are named **!_HOW_TO_RESTORE_[extension].TXT** and !_HOW_TO_RESTORE_[extension].html. These ransom notes contain the victim's ID and links to the TOR payment sites where a victim can login to see payment information. ## The Princess Locker Payment Site The Princess Locker payment site is your standard ransomware site with no special features. When victim's access the Princess Locker payment site they will be greeted with a [page asking them to select a language that looks almost identical to Cerber's language](https://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/) selection page. ----- **Language Selection Screen** They will then be presented with a login prompt where they need to enter the victim ID provided in the ransom note. Once logged in they will see the main payment site, which contains information such as the ransom amount, the bitcoin address to send payment to, and the answers to common questions. The payment site also provides the ability to decrypt 1 file free. Unfortunately, since we do not have a sample of the ransomware, and I didn't want to waste a victim's free decryption, I do not know if this feature works or not. ----- **Princess Locker Payment Site** **Free File Decryption** ----- The one item that is missing from the payment site is a support page that victim s can use to contact the malware developers. If this ransomware goes into wider distribution, I would not be surprised to see one added. We are still actively looking for a sample of this ransomware, so if one is encountered, please [upload it here.](https://www.bleepingcomputer.com/submit-malware.php?channel=168) ### Related Articles: [Indian airline SpiceJet's flights impacted by ransomware attack](https://www.bleepingcomputer.com/news/security/indian-airline-spicejets-flights-impacted-by-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) [New RansomHouse group sets up extortion market, adds first victims](https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/) [Ransomware attack exposes data of 500,000 Chicago students](https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/) [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [Princess Locker](https://www.bleepingcomputer.com/tag/princess-locker/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/windows-10-insider-preview-build-14936-for-pc-and-mobile-released/) [Next Article](https://www.bleepingcomputer.com/news/security/kaspersky-decrypts-ransomware-from-teamxrat/) ### Comments [Viper_Security - 5 years ago](https://www.bleepingcomputer.com/forums/u/1006400/viper-security/) Comment Deleted Reason, people will take it the wrong way, especially since this malware is irrelevant to casuals. ----- [GT500 - 5 years ago](https://www.bleepingcomputer.com/forums/u/377072/gt500/) It's funny that they use the term "fiat currency" in the payment instructions. Somehow I imagine that most people don't know what that means. [Lawrence Abrams - 5 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) Interesting..didn't notice. Not sure if I have seen that used before in relation to ransomware. [Amigo-A - 5 years ago](https://www.bleepingcomputer.com/forums/u/998576/amigo-a/) Many girl-women regard themselves as princesses. Pop-gun for them. :) ----- [nileshbhakre - 5 years ago](https://www.bleepingcomputer.com/forums/u/1020506/nileshbhakre/) plz give me the sample of this ransomware. [Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----