Security

Princess ransomware targets hacked websites via RIG exploit kit

A new cybercrime campaign uses the RIG exploit kit to infect computers with PrincessLocker ransomware, and demands at least $367 from victims.

A new cybercrime campaign targets hacked websites to distribute ransomware known as PrincessLocker via drive-by downloads, according to research from Malwarebytes.

The campaign leverages compromised websites and the commonly-used RIG exploit kit to deliver PrincessLocker, also known as Princess, Jérôme Segura, lead malware intelligence analyst at Malwarebytes, wrote in a post.

PrincessLocker shares the same template for the Onion page with popular ransomware variant Cerber; however, their internal codes are very different, Malwarebytes noted in a past analysis. PrincessLocker is a more simple form of ransomware, and it's possible that its creators are not as experienced, the researchers wrote.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

It's rare to see compromised websites pushing exploit kits at this point in time, as many campaigns have been replaced with tech support scams. Most drive-by activity seen today comes from legitimate publishers and malvertising, Segura noted in the post.

But in this campaign, criminals inject an iframe, which redirects from the hacked site to a temporary gate. The call to the RIG exploit kit landing page is done via a standard 302 redirect, Malwarebytes said, that leads to one of several Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.

Once the site is exploited, RIG can download and run PrincessLocker. The victim's ransom note, called _USE_TO_REPAIR_[a-zA-Z0-9].html, will appear on the screen with several links leading to decryption instructions and a payment page.

Victims are then asked for an initial payment of 0.0770 Bitcoins, or about $367, to decrypt their files. The attacks say that this is a "special price" that is only available for seven days. After that point, the ransom rises to 0.1540 Bitcoins, or about $738.

"The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely," Segura wrote. "Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers."

As ZDNet's Danny Palmer reported, the best way to avoid PrincessLocker is to ensure that all critical vulnerabilities exploited by the kit are patched. These patches have been available for more than two years, and it's key to update your machine if you need to, Palmer said.

For more tips on how to avoid and mitigate ransomware attacks, click here.

The 3 big takeaways for TechRepublic readers

1. A new cybercrime campaign leverages compromised websites and the commonly-used RIG exploit kit to deliver PrincessLocker via drive-by downloads, according to a new report from Malwarebytes.

2. Once a victim's machine is infected, the criminals demand a ransom of 0.0770 Bitcoins, or about $367, to decrypt their files.

3. The best way to avoid PrincessLocker is to ensure all critical vulnerabilities exploited by the RIG kit are patched.

screen-shot-2017-09-01-at-10-10-52-am.jpg
Image: Malwarebytes

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox