Anti-Malware , Ransomware , Technology

Princess Ransomware: Not So Pretty in Pink

PrincessLocker Crypto-Locks PCs, Demands $350 Bitcoin Payoff
Princess Ransomware: Not So Pretty in Pink
Ransom note dropped by PrincessLocker onto crypto-locked PCs. (Source: Malwarebytes)

"Princess" ransomware is back, although it's less demanding than it used to be.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The version of PrincessLocker now making the rounds continues to try and crypto-lock PCs, after which it demands a ransom of 0.0770 bitcoin - currently worth about $350 - in exchange for a promised decryption key, according to security firm Malwarebytes. As is typical for many types of ransomware, if a victim doesn't pay within a specified timeframe, the ransom demand doubles.

The good news is that the ransom amount represents a sharp decrease from the 3 bitcoins - currently worth more than $13,000 - that PrincessLocker was demanding last year.

Unusually, however, the ransomware is being distributed via a highly automated exploit kit called RIG. Exploit kits function by placing attack software on websites. Attackers then try to lure victims to the sites, where their browsers get pummeled via drive-by attacks designed to exploit known vulnerabilities in browsers and browser plug-ins. If the attacks succeed, then malware - such as PrincessLocker - gets installed, and the criminal enterprise potentially starts reaping profits.

PrincessLocker's latest ransom demand. (Source: Malwarebytes)

"We are not so accustomed to witnessing compromised websites pushing exploit kits these days," says Jérôme Segura, a malware analyst at security firm Malwarebytes, in a blog post. "Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising" (see Threats: Social Engineering and Malicious Spam Dominate).

PrincessLocker: Not Unique

PrincessLocker is one of many different types of ransomware that are currently available.

The ID Ransomware project maintained by Michael Gillespie, for example, currently counts 473 unique types of ransomware, although some of those are new versions.

PrincessLocker is one of more than 470 types of ransomware indexed by the ID Ransomware project

Still, it's not clear how widespread PrincessLocker infections might be. Gillespie, for example, reports seeing relatively few infection reports.

Developers Patched Buggy Ransomware

PrincessLocker was first spotted in September 2016 for sale on closed cybercrime darknet forums by SenseCy, the cyber threat intelligence division of analytics firm Verint.

Just two months later, the independent security researcher known as Hasherezade reported that she'd been able to build a decryptor for PrincessLocker, due to the developers having made an implementation error. She added that the ransomware appeared to have been cobbled together from "fragments of other ransomware that authors got access to," potentially including pieces of Cerber and Maktub.

"In order to not give any hints to the threat actors behind the PrincessLocker, we decided to not disclose some parts of the analysis, which could suggest how to fix the discovered bug," Hasherezade wrote at the time.

Unfortunately, just weeks after she released a decryptor, she reported in late November 2016 that "a new variant appeared, that fixed the bug which allowed me crack this ransomware," and that she'd been unable to crack this second version.

Exploit Kits Continue

The new RIG-launched PrinclessLocker attacks are a reminder that exploit kits might be an endangered species, but they have not all died out (see Neutrino Exploit Kit: No Signs of Life).

"The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely," Segura says. "Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers."

For the uninitiated, exploit kits are designed to "automate the exploitation of client-side vulnerabilities, often targeting browsers and applications that a website can invoke through the browser," according to Malwarebytes.

Exploit kits were once a dominant online attack vector - the cybersecurity equivalent of shooting fish in a barrel, at scale. The fish, of course, were individuals, or rather their PCs, running outdated versions of popular software with known flaws.

Attackers could easily and automatically target these flaws, en masse, by sneaking vulnerability-exploiting attack software onto legitimate websites, where it would lie in wait to launch drive-by attacks. As part of an attack campaign, criminals would then attempt to lure potential victims into visiting the site, for example via spam emails promising free videos or discounted pharmaceuticals.

Historically, easily exploitable flaws abounded in browsers and third-party browser plug-ins such as Adobe Flash Player, Adobe Reader, Apple QuickTime and the Java Runtime Environment.

Exploiting flaws in that software would potentially give attackers full control of the machine, including the ability to install additional malware, such as banking Trojans designed to steal people's online bank account access credentials.

The decline in exploit kit has happened in part thanks to browser makers better locking down their code, and the likes of Google Chrome and others now embracing automatic updates that get essential fixes onto PCs in record time. Browser plug-in makers have also instituted auto-updates for their wares, which helps expunge code with exploitable flaws. In some cases, stronger measures have also helped, such as Apple blocking the Java web browser plugin in 2013 over its rampant vulnerabilities.

Exploitable Flaws Linger

The persistence of exploit kit attacks highlights the fact that while there may be fewer known flaws in browsers and browser plug-ins at large, they have yet to be eradicated. The RIG campaign distributing PrincessLocker, for example, attempts to exploit flaws for which patches have been available, in some cases since 2013.

"The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect" - code on an HTML page that redirects a browser to another HTML page - "leading to one of several Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities," Segura says.

If any one of the flaws gets exploited, "RIG downloads and runs the Princess ransomware," he adds, leading to many files getting encrypted and a ransom note dropped on the victim's desktop.

Law enforcement agencies continue to urge all PC users to never pay ransoms, whenever possible, since doing so directly funds cybercrime.

Instead, security experts recommend employing up-to-date anti-malware software with all of the latest signature updates, and maintaining current backups of all essential systems. Be sure to store those backups offline, since some types of crypto-locking ransomware can encrypt files not just on hard drives, but also network shares or cloud services.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network