PrincessLocker Ransomware (.<4~6 Digit Random Extension> / (_H0W_TO_REC0VER_<Encryption Extension>.html/.txt/.url) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Automatic infection using exploit by visiting website

MD5 : b75d9ccdfe580ffcd53f987452be4dac

Major Detection Name : a variant of Win32/Filecoder.NPS (ESET), Ransom_PRINCESSLOCKER.THHAEAH (Trend Micro)

Encrypted File Pattern : .<4~6 Digit Random Extension>

Payment Instruction File : (_H0W_TO_REC0VER_<Encryption Extension>.html / (_H0W_TO_REC0VER_<Encryption Extension>.txt / (_H0W_TO_REC0VER_<Encryption Extension>.url

Major Characteristics :
- Offline Encryption
- The network range (167.114.195.1:6901 ~ 167.114.195.254:6901 / 167.114.196.1:6901 ~ 167.114.196.254:6901 / 167.114.197.1:6901 ~ 167.114.197.254:6901) via User Datagram Protocol (UDP) for Command-and-Control (C&C) communication
- Changes desktop background (C:\Users\%UserName%\Pictures\img.png)