Ransomware as a Service Princess Evolution Looking for Affiliates

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.

The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME to map their advertisement domain on a malicious webpage on the service.

Figure 1. The Princess Evolution’s logo on its payment site

Figure 2. Traffic of the malvertisement delivering Princess Evolution via Rig exploit kit (top), and the domain name system (DNS) response of the malvertisement’s domain (bottom)

Trailing Princess Evolution
Princess Evolution has the same ransom note as Princess Locker’s. Princess Evolution encrypts files on the system and changes their original file extension to a randomly generated string of characters. It drops a ransom note that contains instructions on where and how to pay the ransom of 0.12 bitcoin (equivalent to US$773 as of August 8, 2018).

We found that Princess Locker’s developers made a post in underground forums on July 31 advertising an affiliate program for their newly created Princess Evolution. Under its business model, the affiliates get 60 percent of the ransom payment, and the rest are the malware authors’ commissions. And based on their advertisement, it seems the operators took the time to develop Princess Evolution.

Here’s the original text of the advertisement for Princess Evolution found in an underground forum, written in Russian:
С новым летним днем, друзья! Несколько месяцев назад мы вынуждены были приостановить деятельность для того, чтобы пересмотреть наши позиции во многих отношениях и отправиться на поиски собственного идеала. Это был период наблюдений, разработок, экспериментов, длительных ожиданий и споров. Очертания идеала всегда обманчиво ускользают в экстазе погони за ним, неизменно оставляя позади преодоленную дистанцию. Это и являет собой суть прогресса, благодаря которому мы рады вернуться и приветствовать вас с новой версией нашего продукта. **Princess Evolution**

Translated in English:
Good summer day, friends! Few months ago we had to suspend our activities to review our stance/situation on many aspects and to start a journey to perfection. It was a period of observations, developments, experiments, long waits and arguments. The loom of perfection always slips away in an ecstasy of chasing it. This is a gist of progress, with which we are happy to return and greet you with the new version of our product. ** Princess Evolution **

Technical analysis
Its encryption routine involves scrambling the file’s first chunk of data using both XOR and AES algorithms, while it uses AES to encrypt the rest of the file’s data. A significant change we saw on Princess Evolution from Princess Locker is the shift from using hypertext transfer protocol (HTTP) POST to user datagram protocol (UDP) for command-and-control (C&C) communication. The change is likely due to the faster way that UDP transmits and sends data, as it has less overhead (e.g., no need to establish a connection before sending data).

Princess Evolution generates a random XOR key (0x80 bytes) and another in AES-128 algorithm, and sends these keys, along with the following information, to the network range 167[.]114[.]195[.]0/23[:]6901 via UDP:

Username of the infected computer
Name of the active network interface
The system’s Locale ID (LCID)
Version of operating system (OS)
Victim ID
Security software registered with Windows
Timestamp of when the program was started

Princess Evolution’s approach to its C&C communication is similar to Cerber’s. It’s also worth noting that Princess Locker’s payment website resembled Cerber’s. Princess Evolution’s payment page now sports a new design.

Figure 3. Princess Evolution’s C&C communication on UDP (top) and its payment website (bottom)

Exploit kits are a reminder to users and businesses on the significance of patching. Ransomware may have plateaued (and even declined in some regions), but it is still a significant threat given its destructive nature. Follow best practices: think before clicking, keep systems and their applications patched (or consider virtual patching for corporate environments and legacy systems and networks), and implement defense in depth.

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro OfficeScan with XGen endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

Indicators of Compromise (IoCs):

Related hashes (SHA-256):

1408a24b74949922cc65164eea0780449c2d02bb6123fd992b2397f1873afd21 — RANSOM_PRINCESSLOCKER.B
981cf7d1b1b2c23d7717ba93a50fc1889ae78ee378dbb1cbfff3fd0fe11d0cbc — RANSOM_PRINCESSLOCKER.B
8fc9353cc0c15704f016bc1c1b05961ab267b6108cfa26725df19a686ec2ad28 – RANSOM_GANDCRAB.TIAOBH
6502e8d9c49cc653563ea75f03958900543430be7b9c72e93fd6cf0ebd5271bc — COINMINER_MALXMR.TIDBF

Malvertisement domains related to Princess Evolution: