Thus far, 2016 has seen no shortage of new cyberthreats, particularly where ransomware is concerned. In fact, security researchers have found that 79 new strains of encryption malware were discovered during the first half of 2016. Meanwhile, the FBI estimates that businesses will lose $1 billion by the end of the year to ransomware. The situation is bad and getting worse.
One of the more recently discovered strains of ransomware also happens to be one of the most mysterious: Princess Locker.
What We Know So Far
Princess Locker was first documented in dark web forums by the SenseCy blog on Sept. 22, at which point the researchers who found it tweeted that the strain “suspiciously resembled #Cerber.” For reference, Cerber – which wreaked havoc in early 2016 – is a form of ransomware that employs AES encryption. The executable uses a JSON configuration file that identifies which extensions to encrypt, and which countries it should exclude from encryption. Historically, Cerber cost 1.24 bitcoin, which in its heyday, was about $550.
“Until we know more, organizations will have no reliable means for decryption.”
Because we still know so little about Princess Locker, as there are no samples for researchers to analyze at the time of this writing, it’s difficult to make granular comparisons to Cerber, and any similarities of real substance would be speculative. However, Bleeping Computer noted that Princess Locker’s language page looks “almost identical to Cerber’s.”
For now, only the following can be concluded:
- It’s believed to spread through email phishing scams, malicious ads and exploit kits.
- The ransom demanded is 3 bitcoin (roughly $1,800), triple the extortion fee of Cerber.
- The payment page is by all appearances fairly standard.
- If payment is not received after the requested timeframe, the ransom doubles.
With the exception of the brazenly high ransom value, what we know of Princess Locker seems to be fairly typical of other threatening forms of ransomware. Nevertheless, until we know more about how it functions, organizations have no reliable means for decryption should they become infected.
The Timing Couldn’t be Worse
On top of everything else, researchers recently documented a spike in Windows Script Files (WSF) being used as ransomware distribution vessels. Their purpose, according to ZDNet’s Danny Palmer, is “to allow a variety of scripting languages to mix within a single file.”
“What makes files with the .wsf extension appealing to cybercriminals, hackers, and other ransomware pushers is that they’re not automatically blocked by some email clients and can be launched like a standard executable file,” Palmer added.
Essentially what this means is that newer forms of ransomware (and for all we know, Princess Locker may be among them) have found a way to bypass some security providers’ web gateways. This increases the chances of infection, putting data at greater risk of harm.
Next Steps to Protecting Your Organization
The first step to enhancing cybersecurity is to deploy a comprehensive security suite that uses active protection. This is real-time protection that constantly runs in the background as users work or browse the internet, monitoring all executables. In chorus with an anti-executable tool that blacklists unknown programs before they launch, it might be possible to preempt sly ransomware schemes from ever getting a foot in the door.
That said, hackers’ have made great strides in the area of social engineering, and they’re getting better at sneaking threats through security. While perimeter defenses will continue to be an integral component of any business’ security structure, they need to be backed up by a solution that can quickly and efficiently restore encrypted data, especially as new ransomware threats abound.