Home / Spyware Help / Princess Evolution Ransomware Removal Guide

Princess Evolution Ransomware Removal Guide

by 0 Comments

Do you know what Princess Evolution Ransomware is?

Malware researchers working in our internal lab are advising all Windows users to protect their systems against Princess Evolution Ransomware. It is likely that this threat is somehow associated with the infamous Princess Locker Ransomware, but it is not possible to confirm at this point whether or not these two infections were created by the same party. Both require removal, of course, and if you continue reading this report, you will learn how to delete Princess Evolution Ransomware. We offer two different options, and that should cover both experienced and inexperienced Windows users. After you read this report and decide on the preferred removal path, use the comments section below to ask us questions or start a discussion about anything related to the infection.

Our research team has found that Princess Evolution Ransomware functions as RaaS (Ransomware-as-a-Service), and anyone can spread this infection. It was discovered that the ransomware is promoted on underground forums, and those who choose to participate can earn up to 60% of the profits. Naturally, 40% automatically goes to the creator of the infection. The thing is that the distribution of the malicious Princess Evolution Ransomware is very varied, and it can be spread using exploit kits (e.g., RIG Exploit Kit) hosted on unreliable websites, as well as malicious installers, fake software keygens, spam emails, and all kinds of other security backdoors and loopholes. If the execution of the threat it successful, and the victim does not realize that they need to delete it right away, it silently looks for a mutex called “hoJUpcvgHA” and a file named “MeGEZan.VDE” (in %APPDATA%) first. The infection does not run if these components are found, but the launcher still requires removal.Princess Evolution Ransomware Removal GuidePrincess Evolution Ransomware screenshot
Scroll down for full removal instructions

If the conditions are right, the malicious Princess Evolution Ransomware connects to a special IP address (167.114.195.225:6901) via the UDP protocol. The connection is required so that the encryption key could be sent along with information about the victim. After this, the encryption starts, and all personal files are encrypted using XOR and AES-128 algorithms. You can easily see which files were encrypted because Princess Evolution Ransomware adds a unique extension that consists of 4-6 random characters to every filename. Then, the threat creates three ransom note files. You should find them on the Desktop and all folders with encrypted files. The names are “(_H0W_TO_REC0VER_[unique extension].html,” “(_H0W_TO_REC0VER_[unique extension].txt,” and “(_H0W_TO_REC0VER_[unique extension].url.” The message is the same in all files, and it includes a unique ID number, a unique extension (the one attached to corrupted files), and a link to an .onion page that presents instructions on how to pay a ransom. At the time of research, the page did not load. Even if it is possible to access the page, we do not recommend paying attention to the demands or paying the ransom because you are unlikely to get what you are promised. Instead, quickly remove the malicious ransomware.

You cannot recover files by removing Princess Evolution Ransomware, but you want to get rid of this threat as soon as possible. This should not be difficult for those who can find and delete the launcher file. What if you have NO idea where this file might be? If that is the case, you want to consider the option of installing anti-malware software. Why is this software not installed onto your operating system already? After all, it can provide you with the most comprehensive and reliable protection against all kinds of infections, which is why we suggest installing it without further hesitation. If you do, it will automatically delete Princess Evolution Ransomware, and you will not need to worry about it further.

Delete Princess Evolution Ransomware

  1. Delete the malicious launcher file (the name and location are unknown).
  2. Delete the ransom notes files from the Desktop and all affected folders:
    • (_H0W_TO_REC0VER_[unique extension].html
    • (_H0W_TO_REC0VER_[unique extension].txt
    • (_H0W_TO_REC0VER_[unique extension].url
  3. Empty Recycle Bin to eliminate the components completely.
  4. Install a reliable malware scanner and run a full system scan to check for leftover malware.

In non-techie terms:

You are in a sticky situation if Princess Evolution Ransomware has managed to invade your operating system because your personal files must be encrypted. What can you do to restore them? Unfortunately, there's nothing to be done, and you can access your files only if backup copies exist outside the infected computer. That being said, even if the damage is irreversible, you want to remove Princess Evolution Ransomware from your operating system as quickly as possible, and you can do it yourself or using the help of anti-malware software. If you want to guarantee removal and you care about your virtual security in the future, you will go with the latter option. In the future, be sure to backup all files to keep them safe.