PClock ransomware is not among the most recent ransomware threats having been released. However, recently cyber security researchers have detected its new wave. PClock cryptomalware calls itself CryptoLocker, though, it has been determined that it is nothing more than a ransomware belonging to the other family and trying to pretend something it is not. The first wave of PClock crypto-locker occurred in the January of 2015 and it has been active since. The new wave of this file-corrupting virus emerged in the November of 2016. About this renewed version of PClock we would like to talk in this post.
What’s New in PClock Ransomware?
PClock file-encrypting malware is detected as Ransom:Win32/WinPlock.B or WinPlock by Microsoft. It is written in Visual Basic and encrypts an incredible number of 2,630 file types. In comparison, the earliest version of the crypto-malware aimed at encrypting over 100 file types. Among the files locked there are various documents, photos, video files, etc. Practically, all the data you store on your PC can be compromised. Some of the file types targeted are the following:
*.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.h, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.jpe, *.jpg, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx
Every encrypted file is recorded within enc_files.txt file, which is located at the Profile folder.
The screenshots of the PClock crypto rogueware are the following:
While the first version of the ransomware had given 72 hours, or 3 days to contact the hackers for making the ransom payment, this new variant of PClock provides the affected users with 120-hour, or 5-day, time frame. The size of the ransom is reduced by half – now the cyber crooks ask for 0.55 BTC (bitcoins), which is 412.29 USD at the moment. [email protected] and [email protected] are the contact e-mails provided in the ransom note.
The first version of PClock ransom malware displayed the following ransom note:
The Two Spreading Vectors of PClock Ransomware
PClock file-targeting virus is a trojan, which is spread either via fake spam e-mails or via Crimace trojan, another trojan virus, which functions as a carrier of malware threats. The subject of the infected spam e-mail is typically PLEASE READ YOUR FAX T6931. These spam e-mails, containing supposed-to-be faxes, are attached a file, named Criminal case against you, which execution results in the downloading of the payload of PClock encrypting trojan on the victim’s PC.
As we have already informed you, PClock crypto trojan is also distributed by the Crimace trojan, detected as TrojanDownloader:JS/Crimace.A. A RAR archive, which contains a WSF (Windows Script File) file gets downloaded along with other unspecified free software. When the archive has been opened and the WSF file has been executed, JavaScript starts running. This code downloads and installs the Crimace trojan, which, in turn, downloads and installs PClock malware on the victim’s computer from some remote and secret online server.
In the Case of PClock Ransomware Infection
There hasn’t been a decrypter released for this latest version of PClock ransomware virus.
Update: the decrypter is now available at here: link. You can download it for free and successfully decrypt your files.
Nevertheless, the affected users should copy the encrypted data repositories and take actions to remove the virus before restoring the data. Use such software as Spyhunter or Malwarebytes security apps. We have prepared the manual removal instructions, but they take much more time, energy and knowledge to be completed. Moreover, your computer’s system will note get rummaged through, thus, undetected malware may stay on it.
In the case of this new variant of PClock ransomware, do not waste your time and money for the hunting of the decryption tool. Once, it has been developed by cyber security experts, we will inform you by updating this article. For now, make use of your unmapped backup or purchase recovery software such as Recuva, PhotoRec, R-Studio, Kaspersky recovery tools, etc. The Shadow copies are deleted or disabled by this ransomware.