New PClock CryptoLocker Ransomware discovered

Update 1/11/15:: Please see this post for updated information on identifying the version you are encrypted with and how to use's Fabian Wosar's decryption tool.

 

A new ransomware called PClock has been discovered that pretends to be CryptoLocker and encrypts the data on your computer using a XOR encryption routine. This malware is dubbed PClock due to the project name found within the malware executable. How this malware is distributed is currently unknown, but once installed it will scan your computer for data files and encrypt any files that match certain file types. Once the encryption has been completed, it will display a ransom screen that displays a 72 hour timer and instructs you to send a 1 bitcoin ransom to an assigned bitcoin address in order to decrypt your files. Thankfully, Fabian Wosar of Emsisoft was able to create a decryptor for files encrypted by the PClock CryptoLocker ransomware, which is discussed further in the article.
 

 

When PClock encrypts your data files, it will store the list of encrypted files in the %UserProfile%\enc_files.txt file. The file types that this ransomware targets are:
 

.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc,.mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d,.raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

When installed, the malware files will be located under %AppData%\WinCL\WinCL.exe and the main malware file is WinCL.exe. Terminating the WinCL.exe process and deleting the files will remove the infection from your computer, but will still leave your files encrypted. This ransomware will also change your desktop background to a ransom message with further instructions. The malware will then delete the Shadow Volume Copies on the infected computer by issuing the vssadmin Delete Shadows /All /Quiet command. The program will repeatedly query blockchain.info to determine if a payment has been made. If it detects a payment, it will then automatically transform itself into the decryptor and prompt you to decrypt your files as shown below.
 

Last, but not least, if you do not pay the ransom within the allotted time, it will display a last_chance.txt file that tells you to download the malware again, which supposedly gives you another 3 days to make payment.

The text of the wallpaper is:

CryptoLocker

Your important files encryption produced on this computer: photos, videos, documents, etc.

If you see this text, but do not see the "CryptoLocker" window, then your antivirus deleted "CryptoLocker" from computer.

If you need your files, you have to recover "CryptoLocker" from the antivirus quarantine, or find a copy of "CryptoLocker" in the Internet and start it again.

You can download "CryptoLocker from the link given below.

hxxp://invisioncorp.com/au/XXXXXXXXXX

Approximate destruction time of your proviate key:

1/5/2015 12:31:45 PM

If the time is finished you are unable to recover files anymore! Simply remove this wallpaper from your desktop.

To decrypt your files, please download the Emsisoft Decryptor for PClock and save it to your desktop. Once downloaded, double-click on it and the program will open and automatically import the list of encrypted files from the %UserProfile%\enc_files.txt list. When you are ready to decrypt your files, simply click on the Decrypt button. More information about using this tool can be found in the next post by Fabian.
 

Known WinCL CryptoLocker Ransomware Files:

%AppData%\WinCL\WinCL.exe
%AppData%\WinCL\winclwp.jpg
%AppData%\WinCL\temp.vbs
%UserProfile%\enc_files.txt
%UserProfile%\last_change.txt

Known WinCL CryptoLocker Ransomware Registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wincl	%AppData%\WinCL\wincl.exe
HKCU\Control Panel\Desktop\Wallpaper	%AppData%\WinCL\winclwp.jpg

As I mentioned in a different thread before the malware doesn't leave any indication behind whether a file has been encrypted or not. That means there is no good way to figure out whether or not a file is encrypted. The file list the malware created doesn't help much either unfortunately as some of the files listed in that list are not encrypted. My decrypter tries to use the file list as good as it can to figure out which of those files have been encrypted and which haven't. That method isn't 100% accurate though.

Therefore, whenever the tool tries to decrypt a file it will create a backup of the encrypted file first. This backup will have the same name as the encrypted file but with the *.decbak extension. After you checked that your files have been decrypted you can use the Windows file search function to search for all *.decbak files and delete them in one swoop. However, since we do keep the backup it means that your data will take up a lot more space on your hard drive. You can disable the creation of the backup files in the options tab, but I strongly suggest you not to unless you run into space issues otherwise. If you do have to disable the option, I suggest you first try the decrypter on a few copies first. To do so, create a new folder somewhere and copy a few encrypted files into that folder. Then click the "Clear files" button to remove the file names obtained from the malware's encrypted file list and add the files you just copied manually using the "Add file(s)" button. Then click "Decrypt" and check that all of your test files have been decrypted properly. If they have been, just restart the decrypter to get the malware's file list back, disable the backup option and hit Decrypt to decrypt your actual files in place.

If for some reason you end up decrypting a file that wasn't encrypted to begin with, you can restore the file by just decrypting the file again. I did my best to avoid this situation, but since the malware is poorly written you may end up in that situation.

Okay, now that we have that out of the way, you can download the decrypter here:

http://emsi.at/DecryptPClock

If you run into any issues, please let me know. You can either post here or send me an email. If this decrypter worked for you, please post some feedback. Increased post frequency will increase the search ranking of this thread in search engines like Google, making it easier for other victims of the same malware to find the topic and the solution to their problem.

Edited by Fabian Wosar, 03 January 2015 - 03:24 PM.

So, do you kill the process first?  Do you delete the files before or after running the decryptor?

I am assuming you kill the processes first. Just terminate WinCL from taskmanager.

That program worked like a charm! Thank you so much, everything was recovered!!!

 

EDIT: My Excel Spreadsheet files did not decrypt. Any ideas? .xlsx files

Edited by WavyHD, 05 January 2015 - 08:49 PM.

Does this work with jpegs or Mp3s?

Hi, I tried using the emisoft decrypter but it didn't decrypt any encrypted files. Below is a clipboard copy of the results. The .jpg file still does not open. 

 

 

Hello, I should kill producer of this application - Files with docx extension after logs:

So, do you kill the process first?  Do you delete the files before or after running the decryptor?

The decrypter will actually remove an active infection for you.
 
 

That program worked like a charm! Thank you so much, everything was recovered!!!

Glad my tool was helpful.

 

EDIT: My Excel Spreadsheet files did not decrypt. Any ideas? .xlsx files

Did you check whether your Excel files were encrypted to begin with? The malware records files as being encrypted although the encryption of the file failed. The result is that decrypting those files will actually encrypt them. You can just run the decrypter again on those files only to return them to a usable state or alternatively just restore them back from the backup the decrypter created (*.decback file with the same name and in the same location as the original).
 
 

Does this work with jpegs or Mp3s?

Technically it works for all files. PClock does not target MP3s though. So your MP3 files shouldn't be encrypted to begin with. If they are you are most likely hit by a different malware than the one I analyzed.
 

Encrypted file: C:\Users\H\Pictures\29th March\IMG_2231.JPG
Decrypted file: C:\Users\H\Pictures\29th March\IMG_2231.JPG
Backup file: C:\Users\H\Pictures\29th March\IMG_2231.JPG.decbak
Status: Unable to create backup of encrypted file! [code 183]

Error code 183 means ERROR_ALREADY_EXISTS. It usually means you already decrypted that file so a backup already exists and a new backup can't be created. If you want to decrypt that file again you will have to remove the backup file first. 
 

Hello, I should kill producer of this application - Files with docx extension after logs.

Right, be angry at the guy that tries to help you instead of the guy that screwed over your files to begin with. That sounds like a completely reasonable approach.

From list that CryptoLocker displayed I removed most of the files manually from disk ctr + Delete. But some I wanted to recover. After using you program this is not possible - THANKS!!!!

Did you check that the files you tried to decrypt were encrypted to begin with? As I mentioned earlier: The malware does have various bugs so just because the file was supposed to be encrypted according to the malware it does not mean it actually was. There is no easy way to determine whether or not a file is encrypted based on its content alone as the malware does not leave behind any indications whether or not it encrypted the file. You will have to either restore those files from the backup that the decrypter created (*.decbak file in the same location as the original) or remove the decrypter backups and run it again on the files that don't work.

Error code 183 means ERROR_ALREADY_EXISTS. It usually means you already decrypted so a backup already exists and a new backup can't be created. If you want to decrypt files again you will have to remove the backup file first.

Hi again,

 

I have several ".jpg" files that cannot open, so I assume these are all encrypted.

 

below is another result from the decryption. The decryption states it was successful, but I still cannot open the .jpg. Yes it has created a backup.

 

Edited by royalflush, 06 January 2015 - 09:08 AM.

Edited by Volanz, 06 January 2015 - 10:34 AM.

Hi Guys.

I have the same problem that Royalflush. The proccess seems to be OK but nothing. I realize that been infected because I cant open any video (.avi) neither jpg. It's been working all night long and this morning only get full hdd (some files get the error code 122, problems of space I assume).

It appears the malware author updated his malware. I am currently looking into it.

It appears the malware author updated his malware. I am currently looking into it.

Okay, thanks. do you want me to upload an example encrypted jpg file?

Damn Bastard,

Now i'm working on revert all the files that has been wrong encrypted. Only at mp3 gets 4000. And Jpgs are like 10.000.

Hope your solutions gets soon Mr. Wosar.

 

Also gets some zip, pdf files encrypted too,