What is Princess Evolution?
Princess Evolution is the 3-rd version of PrincessLocker Ransomware that was spotted back in 2016. Although it refers to PrincessLocker family, Princess Evolution is a completely redesigned virus. According to the source, it mostly operates as a ransomware as a service (RaaS) looking for affiliates. The thing is developers themselves placed an ad stating that they are looking for affiliates for their new offspring. By the terms of the deal, the affiliates get 60% of the ransom payment, and 40% goes to the malware authors.
Here is the post by cybercriminals presented in the underground forums:
Good summer day, friends! Few months ago we had to suspend our activities to review our stance/situation on many aspects and to start a journey to perfection. It was a period of observations, developments, experiments, long waits and arguments. The loom of perfection always slips away in an ecstasy of chasing it. This is a gist of progress, with which we are happy to return and greet you with the new version of our product. ** Princess Evolution **
Princess Evolution Ransomware may sneak into a victim’s computer by using malicious spam email attachments (never open attachments from suspicious emails!) and malicious macros in the Microsoft Office Suite. Once it gets on PC, it starts to encipher personal data like images, audios, texts, documents and then demands a ransom in exchange for decrypter. All infected files get an extra extension with four random characters and become inaccessible. For example, myfamily.jpg turns into myfamily.S351. The virus creates 2 files: ‘^_READ_TO_RE5T0RE_[RANDOM STRING].txt‘ and ‘^_READ_TO_RE5T0RE_[RANDOM STRING].html‘ at the end of encryption that may contain the following text:
Your ID: [sixteen random characters]
Your extension: G8xB
Your files are encrypted!
Download and install Tor Browser:
http://www.torproject.org/download/download-easy.html
And follow this link via Tor Browser:
http://royal666k6zyxnai.onion/
Or use this alternative in any exceptional cases:
http://royal666k6zyxnai.tor2web.top/
The amount of ransom is 0.12 BTC (~ $764.12) before the timer reaches zero, otherwise, the sum will be increased. Nonetheless, we recommend you not to pay anything to criminals as it will not end well for you. The practice shows that cybercriminals just ignore people after payment is done. Instead of this, you may follow this guide to find out on how to remove Princess Evolution ransomware and decrypt your files for free.
Still, Princess Evolution ransomware does very sophisticated encryption, but it does not damage, move or delete your files, which means you have a chance to restore your personal data. For this, the first thing you got to do – to completely remove Princess Evolution ransomware from your computer in order to exclude reinfection. You may take advantage of the benefits of an automated removal tool that will do it for you. Or you may use our manual guide, but keep in mind that this way is only recommended for experienced users.
How to remove Princess Evolution from your computer?
You may try to use anti-malware tool to remove Princess Evolution ransomware from your computer. Newly advanced ransomware detection technology is able to run an instant ransomware scan, which is perfect to protect your computer in case of a new ransomware attack.
How to decrypt files?
Once you’ve removed the virus, you are probably thinking of recovering files from encryption. Let’s take a look at possible ways of decrypting your data.
Recover data with Data Recovery
- Download and install Data Recovery
- Select drives and folders with your files, then click Scan.
- Choose all the files in a folder, then press on Restore button.
- Manage export location.
Restore data with automated decryption tools
Unfortunately, due to the novelty of Princess Evolution ransomware, there are no available automatic decryptors for this encryptor yet. Still, there is no need to invest in the malicious scheme by paying a ransom. You are able to recover files manually.
You can try to use one of these methods in order to restore your encrypted data manually.
Restore data with Windows Previous Versions
This feature is working on Windows Vista (not Home version), Windows 7 and later versions. Windows saves copies of files and folders which you can use to restore data on your computer. In order to restore data from Windows Backup, take following steps:
- Open My Computer and search for the folders you want to restore;
- Right-click on the folder and choose Restore previous versions option;
- The option will show you the list of all the previous copies of the folder;
- Select restore date and the option you need: Open, Copy and Restore.
Restore the system with System Restore
You can always try to use System Restore in order to roll back your system to its condition before infection infiltration. All the Windows versions include this option.
- Type restore in the Search tool;
- Click on the result;
- Choose restore point before the infection infiltration;
- Follow the on-screen instructions.