A New Ransomware Program Called PClock – A Heads Up

By | January 10, 2015
Print pagePDF page

Grim-Reaper

PClock – Ramsomware that can lock your files

Our friends at Emsisoft are on the ball and are on top of a new ransomware called PClock which copies CryptoLocker. If a computer is infected with PClock the user will be asked to pay a $300 ransom to unlock their files. In other words, if you don’t pay the ransom you’ll not be able to open many files including pictures stored on your computer, Office documents like Word and Excel, and many other files too. Essentially you are locked out of opening a lot of files on your computer until you pay the ransom…or so the malware miscreants would like you to believe.

We’ve been recommending Emsisoft for two years now and with every passing day our choice of Emsisoft as our number one anti-malware and anti-virus choice looks better and better. Emsisoft and Cloudeight share the same respect for our customers and our mutual customers – and both of us don’t believe everything should be done for profit.

The information below comes from Emsisoft and is published here with permission. If you know of anyone whose computer has been locked by PClock, please share this information – it may save them $300 because Emsisoft provides the fix for all versions of PClock free of charge. It might be a good idea for you to bookmark this post in case you fall victim to PClock too. You can share this article via Facebook or Twitter by clicking the appropriate icon at the top right corner of this page.

We are proud of our relationship with Emsisoft and we’re proud to recommend and sell Emsisoft Anti-Malware. It’s the security software everyone can trust.

Here is the article from Emsisoft explaining PClock; it contains links to the free PClock decryptor tool that can reverse the damaged done by PClock as well as unlocked the files PClock has encrypted and locked.

New Ransomware Alert: CryptoLocker copycat PClock discovered

Ransomware CryptoLocker was one of the most infamous malware families of the years 2013 and 2014 and although the operation behind the original CryptoLocker malware family has been dismantled in 2014, it’s still a name that frightens a lot of users and system administrators alike. It is therefore not surprising that other malware authors try to capitalize on CryptoLocker’s reputation by releasing copycats. One of the most recent copycats that we became aware of is a ransomware named PClock that showed up just a day ago. Unlike CryptoLocker though, which was a somewhat complex and sophisticated piece of malware, PClock is quite primitive by nature.

72-hour countdown timer to pay USD$300 ransom

Like all file encrypting ransomware (also known as crypto malware) PClock’s main goal is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files. Like CryptoLocker it gives the user a 72-hour ultimatum to pay the ransom of 1 bitcoin (approximately USD $300). Otherwise it claims to destroy the keys required to decrypt the user’s files:

^F484B8B773DF2857BE46FFE49E9230AB939DBE26ADBFCE98A7^pimgpsh_fullsize_distr

If a user does not pay the ransom within the allotted time, it will display a last_chance.txt file that tells the user to download the malware again, which supposedly gives you another 3 days to make the payment. In reality though PClock does not destroy any keys, so the countdown is pretty much meaningless.

How PClock infects a new system

At this point it is not entirely clear how PClock, which is written in Visual Basic 6, enters a user’s system. Once it manages to to execute on the victim’s system however, it will copy itself to the current user’s application data folder using the sub-folder “WinCL” and the file name “WinCL.exe”. It then establishes persistence by creating a new registry value within the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key named “wincl” pointing towards the newly created WinCL.exe executable. The malware then tries to encrypt the victims’s files. It specifically targets files with one of the following extensions:

*.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.h, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.jpe, *.jpg, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx

Every files the malware tries to encrypt is recorded within a file named “enc_files.txt” located in the victim’s profile folder. After the encryption has finished the malware will try to delete and disable all shadow copies. Shadow copies is the technology that powers the Windows’ “Previous Version” feature that allows a user to restore previous versions of a file. This feature is often used by ransomware victims to recover their files so a lot of ransomware families started to destroy any previous versions created by the shadow copy service. Last but not least the malware will create a shortcut to itself on the victims’s desktop and change the victims’s desktop wallpapter to the following picture:

wallpaper

During the infection and encryption process the malware will try to maintain a log on the malware author’s command and control server:

P04552 8:08:02 AM Files encrypted
P04552 8:08:02 AM STATE: CRYPTED_OK
P04552 8:08:02 AM Delete shadows
P04552 8:08:04 AM Shadows: no ADMIN
P04552 8:11:06 AM Shadows deleted
P04552 8:11:06 AM STATE: SHADOWS_OK
P04552 8:11:06 AM Prepare
P04552 8:11:08 AM Saved BTC price – 330
P04552 8:11:11 AM Shortcut created
P04552 8:11:12 AM STATE: PREPARE_OK
P04552 8:11:12 AM Change wallpaper
P04552 8:11:13 AM Wallpaper changed

This excerpt shows an example of an infection taking place to give you an idea about what is being logged.

PClock: a lot of show but little substance

Similar to the countdown, the ransom note is far from the truth as well and even though the malware may look somewhat professional at first glance it becomes obvious quickly that the people behind it are amateurs at best. The encryption algorithm used for example is just a simple XOR based obfuscation that uses a constant key on all systems. Due to that we are able to provide a decrypter that can be found further down this post. A more severe sign for the lack of professionalism is the fact that the malware contains several disastrous bugs that may cause data loss on the victim’s system. If the malware encounters a particularly large file for example that is too big to fit into memory the malware will end up truncating the existing file instead of encrypting it. The result is a 0-byte file that contains neither the original nor the encrypted file content. Once the malware messed up a file like that the last hope for the victim are data recovery tools.

How to unlock your encrypted files

As mentioned before the encryption used by PClock is extremely weak and can easily be reverted. To help and guide you in that process we developed a small decrypter utility. Our decrypter will enable you to decrypt any PClock encrypted files that haven’t been damaged beyond repair by the malware and clean up your computer without having to pay the ransom. You can download our decrypter here: http://emsi.at/DecryptPClock

^F254945C1D47C5B6AD5EA4A9008FFD763FF5A536B9741BE0D4^pimgpsh_fullsize_distr

^3FACE4A13E8DAD75E8747860F17ACCFC831B6E2D922847791E^pimgpsh_fullsize_distr

The decrypter will use a list of encrypted files the malware stores on the victim’s system to determine which files are in need of decryption. This list is loaded automatically when you start the decrypter and in theory all you would have to do is load up the decrypter and hit the “Decrypt” button. In practice it isn’t that simple though due to the fact that the malware does not provide enough information for the decrypter to be absolutely sure that the decrypted file is exactly like the original unencrypted one that the malware targetted. We therefore decided to play it safe and keep backups of all encrypted files. These backups will take a lot of disk space and essentially double the amount of space required on your hard disk to hold both the decrypted file as well as the encrypted backup. If you are running low on disk space you can disable the backups in the decrypter’s option menu. This should be a last resort though and before you try to use the decrypter that way you should try the decrypter out on a small number of test files that you can verify manually to make sure the decrypter is operating correctly.

If you don’t feel comfortable performing the decryption process on your own, feel free to create a support request in our support forum or send us an email.

UPDATE 2015-01-06, 8PM UTC: An updated version of PClock was released where this decrypter does not work with yet. We’re working on an update. Please return in a couple of hours if you are affected by the threat. Please also read this thread at the Bleepingcomputer forum where this topic is discussed.

UPDATE 2015-01-09: the malware authors released two more versions of PClock. The good news is that the Emsisoft decrypter is ready and works for both versions. You can download the Emsisoft decrypter version 2 here. Read theinstructions thoroughly first on page 8 in the Bleepingcomputer forum discussion.

Emsisoft’s Fabian develops the decrypters in his spare time for victims of ransomware. We’d appreciate it if you share this post so that more victims of PClock can be helped…

4 thoughts on “A New Ransomware Program Called PClock – A Heads Up

  1. Brian

    Wow…what great timing for this article. I have been plaugued with several attempts at this exploit. 3 times today already. Thus far I’ve had to use task manager and close out the attemot that way or hard boot..neither of which I relish doing. EMMISOFT it is…I#m off to make a purchase now! Thanks for the great article.

    Reply
  2. Carol Ross

    Thank you for the heads up. The type of people that create & profit from things like this certainly need an honest job!!

    Reply
  3. Janice Most

    GREAT JOB, EMSISOFT & CLOUDEIGHT! A BIG THANK YOU to EB & TC; I would never have known about the fine, honest folks at Emsisoft. As soon as I read about them here, I immediately went to their site for the trial version and have been a customer ever since then. I would NEVER buy anything else to protect my computer and I recommend them all the time to family and friends. I’ll be renewing my license for their fantastic antivirus/anti-malware next month! I’m so thankful that there are still honest companies I can trust!

    Again, THANKS SO MUCH!

    Reply
  4. Bob Palmer

    Your warning is timely and much appreciated by all but, to me, it begs the question……….does any Government agency or regulatory authority trace the perpetrators and distributors of such mal ware so that they may be brought to book for their activities?

    Reply

Leave a Reply to Bob Palmer Cancel reply

Your email address will not be published. Required fields are marked *