PrincessLocker analysis

摘要

During the year 2016, ransomware continued to spread panic throughout the world. Kaspersky reported that, between January and September 2016, the rate of ransomware attacks on companies tripled from one every two minutes to one every 40 seconds with more than 62 new families of ransomware emerging. We have encountered Cerber, Locky, PrincessLocker and others. In this work, we present an analysis of PrincessLocker, a form of ransomware that first appeared some time ago and presents victims with the same ransom demand site template as Cerber did. We explain the malware analysis steps we used to characterise the PrincessLocker infection process. We also discuss self-reproduction and over-infection, two major concepts in computer virology theory. Furthermore we compare our own PrincessLocker analysis with the related work of Nolen Scaife et al. on detection of the non-malicious tool CryptoLock (not to be confused with the ransomware CryptoLocker) using behavioral analysis of information exchanges between the software under investigation and the file systems which are being encrypted.