Princess Locker decryptor

[UPDATE: 28th Nov 2016] – unfortunately, recently I got an information that there is some new variant around that is not decryptable at the moment. If generating the key takes more than few minutes,  it probably means that you has been infected by the new version of Princess. Please upload your malware sample on Virus Total and send me the link if you want me to take a look at your case. Research is in progress, stay tuned.


Recently I made a decryptor for Princess Locker ransomware (tested on sample: 14c32fd132942a0f3cc579adbd8a51ed):

princess_banner.png

Ransom note example:

princess_ransom_note

In this thread you will find all the information and updates about the progress.

Currently I prepared a set of two EXPERIMENTAL tools: keygen and decryptor.

download-icon-png-5.png  You can download the full package from here.

youtube-512   See it in action on YouTube: https://www.youtube.com/watch?v=Ted84CoOPvg

Use the keygen first in order to find your key. If this operation went successful, you can use decryptor to decrypt your other files.

The tools are protected with PE-Lock (special thanks to Bartosz Wójcik).


HOW TO USE

In order to use the keygen you must find one file, that you can provide in both forms: unencrypted and encrypted. You also need to supply the added extension. It is beneficial (but not required) to supply the unique ID from your ransom note.
Usage:

PrincessKeygen.exe [encrypted file] [original file] [added extension] [*unique id]

* – optional parameter

Example:

Read the data from your ransom note:

ransom_id

And supply them to the keygen:

PrincessKeygen.exe "square1.bmp.xauwk" "square1.bmp" xauwk ujivtjf25pwt

What if you don’t have any original file?

In case if you don’t have the original copy of any of your encrypted files, you can use an encrypted file of one of the following formats:

doc, png, gif, pdf, docx, xlsx, ppt, xls

Then, instead of the original file, supply the preprepared header – you can find the set here. However, this method may, in some rare cases, produce invalid results – so, supplying the original file is recommended.

Example:

princess_keygen

What if you don’t have the ransom note?

It’s OK. Just supply the extension – but be warned that cracking may take a bit longer.

no_note


Check if your output file is valid. If so, save the key and use it to decrypt rest of your files, with the help of PrincessDecryptor.

Usage:

PrincessDecryptor.exe [key] [ransom extension] [*file/directory] 

* – optional parameter – default is current directory

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Malware Decryptor, Tools. Bookmark the permalink.

8 Responses to Princess Locker decryptor

  1. Janus Corso says:

    Thanks for your tools, but…why are you protecting them? It is useless (as you know). Another thing, Princess is easy to find if you reverse the algo key generation from a malware sample, trust me, if you protect your tools people will be angry.
    I understand you that you dont want another people or company use your work, but a company that uses your work without gives you credit…;)

    • hasherezade says:

      Don’t worry, I will make it open source after some time – as I always do. For now I just don’t want to make things way too straight-forward for the skids that wrote it😉

    • demonslay335 says:

      It isn’t about protecting from other companies, it’s to protect against the malware authors seeing their mistakes. We try to delay them fixing it as long as possible when we can.

  2. Pingback: The Week in Ransomware – November 18th 2016 – Crysis, CryptoLuck, CHIP, and More – Computer Repair Plymouth

  3. Arthur Hollande says:

    Where can I get this PE-Lock thing for free?😀

  4. Pingback: The Week in Ransomware – November 18th 2016 – Crysis, CryptoLuck, CHIP, and More – Wayzata Computer Repair

  5. Pingback: Week 47 – 2016 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s