Princess ransomware makes a visit to the wrong website a royal mistake

PrincessLocker ransomware is harnessing the power of the RIG Exploit Kit in order to spread itself via drive-by downloads on compromised websites.




PrincessLocker provides victims with a “special offer” if they pay up within a week.  Image: Malwarebytes





A newly uncovered cybercriminal campaign is using a well-known exploit kit to distribute ransomware using drive-by downloads on hacked websites.

While not used as prolifically as it once was, the RIG Exploit kit leverages vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, VBscript-based attacks to distribute malware to users who just happen to be have visited a compromised website.

Such attacks were once subtler, used to distribute malvertising to drive click-based revenue or in some instances, stealthy malware.

But now researchers at Malwarebytes have uncovered a campaign which is harnessing RIG on hacked websites in order to distribute the Princess/PrincessLocker ransomware.

This particular form of ransomware isn’t particularly widespread, but its notable for initially using the same template as Cerber, one of the most successful ransomware families.

However, researchers have noted that the similarities between the two forms of ransomware only appear on the surface, with the actual code behind PrincessLocker “much different” to that of Cerber.

Upon visiting the compromised website, the user will be directed to a hacked page which is used to take advantage of exploits in order to deploy PrincessLocker onto the system.

The attack vector is different to a ransomware distributor’s usual tactic of pushing it in phishing emails, but once the malware is delivered, the result is the same – the victim’s files are encrypted and the cyber criminals demand a ransom in order for them to be returned.

PrincessLocker initially asks for a 0.0770 Bitcoin ransom [$370/£285] – a relatively low figure compared to other forms of ransomware – in return for “special software” to decrypt the files.

The attackers claim that this is a “special price” which is only available for seven days – if a victim waits longer than that to pay the ransom, it rises to 0.1540 Bitcoins [$738/£570].

Researchers have previously determined PrincessLocker to be relatively unsophisticated when compared to other forms of ransomware. Because of this, a decryption tool is was available to crack earlier forms of PrincessLocker. However, the attackers took note of their initial errors and the this tool no longer works for the more recent strains.

The best way to avoid negative consequences of PrincessLocker is simply to avoid infection in the first place – and with patches for the critical vulnerabilities exploited by the Kit having been available for over two years, there’s really no excuse for having not applied them.

Comments are closed.

%d bloggers like this: