- The ransomware is believed to be a new version of the 2016 Princess Locker ransomware.
- The Princess Evolution ransomware drops a ransom note that demands 0.12 bitcoins.
Earlier this month, the Rig exploit kit was observed in a malvertising campaign distributing a cryptocurrency malware and the GandCrab ransomware. On August 1, the Rig exploit kit began delivering a new ransomware that security experts later identified as the Princess Evolution ransomware.
According to security researchers at Trend Micro, who discovered the new ransomware, Princess Evolution is a new variant of the Princess Locker ransomware that emerged in 2016. The new variant is currently available on the dark web and is currently being marketed as a ransomware-as-a-service (RaaS).
Princess Evolution has the same ransom note as the Princess Locker. The ransomware demands 0.12 biticons ($723) as ransom.
New 'business' affiliates
The ransomware authors are currently looking for affiliates, researchers said.
“We found that Princess Locker’s developers made a post in underground forums on July 31 advertising an affiliate program for their newly created Princess Evolution,” Trend Micro researchers wrote in a blog.
“Under its business model, the affiliates get 60 percent of the ransom payment, and the rest are the malware authors’ commissions. And based on their advertisement, it seems the operators took the time to develop Princess Evolution.”
Princess Evolution uses both XOR and AES encryption and steals information such as system username, LCID, OS version, victim ID and more. This information is then sent to the C2 server, which is similar to the C2 of the Cerber ransomware. Coincidentally, the payment site of both the Cerber and the Princess Locker ransomware were similar.
“Exploit kits are a reminder to users and businesses on the significance of patching. Ransomware may have plateaued (and even declined in some regions), but it is still a significant threat given its destructive nature,” Trend Micro researchers said.