Remove Princess Ransomware | Updated


I wrote this article to help you remove Princess Ransomware. This Princess Ransomware removal guide works for all Windows versions.

Princess is one of the newest additions to the ransomware family. According to researchers, this pest is quite sophisticated and advanced. If you are infected with it, this article is just for you. Bear in mind that you have an extremely dangerous infection on board and removing it ASAP should be your number one priority. Don’t waste any time and, most importantly, don’t give into panic. Yes, we are aware that it is hard not to panic when you are stuck with this type of virus, but crooks rely on the fact that you will be scared. If you are, you will be more willing to comply with their demands and do what they say.

Keep calm and read this article in order to know what you are dealing with and how to make an informed decision. As a classic ransomware, Princess follows the standard pattern. It invades your system in complete silence, locks all of your files and then extorts you for money. The pest uses a combination of complex algorithms that is very difficult to be reversed. Also, during the encryption process, there are no signs of something being wrong. The ransomware works from the shadows and you realize that you are infected only after you see the “.locked” or another similar extension appended to your files.

Seeing your data renamed like this means that it is no longer accessible. Princess could also completely change the names of your files with something like “[5_random_characters]_[12_random_digits]_[unique_ID].[certain_extension]”. Either way, you will know that your data has been taken hostage when you try opening a file and fail. Princess targets your most valuable documents like photos, music, videos, archives, databases, contact lists, MS Office files, etc. All of them get turned into unusable gibberish.

Once the encryption is over, the ransomware drops the “!_HOW_TO_RESTORE_[extension].TXT” and “!_HOW_TO_RESTORE_[extension].html” files in all folders, containing locked data. Those are your payment instructions. According to them, you are supposed to visit a Tor-based website where you should login in for further instructions with the unique ID you are given.

The crooks demand a ransom of 3 Bitcoins stating that if you don’t pay within the given time frame, the sum will double. Currently, 3 Bitcoins equal the whopping amount of 13513.71 USD. This is A LOT of money. And if you don’t pay, the sum doubles. And for what? For your OWN files. Are you going to pay so much money for something that is already yours? Not to mention that paying guarantees you nothing. You may not receive the tool which is supposed to unlock your data. Or, crooks may send you a not-working one. But even if they do send you the decryptor and you free your files, the real threat remains.

The Princess ransomware is still on your machine ready to strike again anytime. Then what? Are you going to pay 13000 USD again? No! You should pay at all. You cannot win this game by paying. You will only worsen your situation. What if the hackers take the first payment and then decide to ask for more money? Forget about playing by their rules. You will lose. What you need to do first is clean your PC from this plague. Only then you can try to safely recover your data. Use our removal guide below to do so manually.

How does Princess travel the web? According to latest reports, the ransomware gets distributed via malicious spam email attachments, the help of Trojan horses, fake updates, malvertising, etc. Be extra careful what you click on. Hackers disguise the links that download the infection to look legitimate and helpful. Don’t be gullible. If you are not sure about something, don’t click on it.

Don’t blindly open every email message that you get and don’t open its attachment. Even if it looks safe at first, double-check it. A single click is all it takes for Princess to get activated and the encryption process to begin. Be on the alert. Get yourself a good anti-virus program to help you protect your machine. Also, create backups of your most valuable files on an offline device to be sure they are safe.

Princess Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Princess Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Princess Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.