Threat Management, Malware, Network Security, Ransomware

Royal pain: Websites compromised to deliver Princess ransomware via RIG exploit kit

A newly discovered drive-by download campaign is infecting victims with Princess Locker ransomware, by way of the RIG exploit kit.

According to a blog post published on Thursday, researchers at Malwarebytes recently found evidence on Aug. 30 that hackers are compromising websites with iframe injections designed to redirect visitors through a gate and then on to the RIG landing page. From there, the exploit kit capitalizes on one of a number of Internet Explorer and Flash Player vulnerabilities to run the Princess malware.

Princess encrypts victims files and, in this latest campaign, is demanding a ransom of 0.0770 bitcoins, or approximately $370 as of this writing. Additionally, BleepingComputer had recently tweeted about a new Princess payment page found on the Tor network, which is now actively being used.

"We are not so accustomed to witnessing compromised websites pushing exploit kits these days," writes blog post author Jerome Segura, lead malware intelligence analyst at Malwarebytes. "The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely."

When Princess appeared last year, it was noted for using the same Tor page template as Cerber ransomware; however, Malwarebyte's analysis of the code found the malware itself to be quite different. A researcher was able to develop a decryptor for one of Princess's earlier versions, but it does not work on newer variants "because they have correctly implemented secure functions from the Windows cryptography API," Segura explained in an interview with SC Media.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.