{"id":8936,"date":"2015-01-10T09:22:31","date_gmt":"2015-01-10T14:22:31","guid":{"rendered":"http:\/\/thundercloud.net\/infoave\/new\/?p=8936"},"modified":"2015-01-10T09:36:42","modified_gmt":"2015-01-10T14:36:42","slug":"a-new-ransomware-program-called-pclock-a-heads-up","status":"publish","type":"post","link":"https:\/\/www.thundercloud.net\/infoave\/new\/a-new-ransomware-program-called-pclock-a-heads-up\/","title":{"rendered":"A New Ransomware Program Called PClock – A Heads Up"},"content":{"rendered":"
\n
\"Grim-Reaper\"<\/a>

PClock – Ramsomware that can lock your files<\/p><\/div>\n

Our friends at Emsisoft are on the ball and are on top of a new ransomware called PClock which copies CryptoLocker. If a computer is infected with PClock the user will be asked to pay a $300 ransom to unlock their files. In other words, if you don’t pay the ransom you’ll not be able to open many files including pictures stored on your computer, Office documents like Word and Excel, and many other files too. Essentially you are locked out of opening a lot of files on your computer until you pay the ransom…or so the malware miscreants would like you to believe.<\/p>\n

We’ve been recommending Emsisoft for two years now and with every passing day our choice of Emsisoft as our number one anti-malware and anti-virus choice looks better and better. Emsisoft and Cloudeight share the same respect for our customers and our mutual customers – and both of us don’t believe everything should be done for profit.<\/p>\n

The information below comes from Emsisoft and is published here with permission. If you know of anyone whose computer has been locked by PClock, please share this information – it may save them $300 because Emsisoft provides the fix for all versions of PClock free of charge. It might be a good idea for you to bookmark this post in case you fall victim to PClock too. You can share this article via Facebook or Twitter by clicking the appropriate icon at the top right corner of this page.<\/p>\n

We are proud of our relationship with Emsisoft and we’re proud to recommend and sell Emsisoft Anti-Malware<\/a><\/span>. It’s the security software everyone can trust.<\/p>\n

Here is the article from Emsisoft explaining PClock; it contains links to the free PClock decryptor tool that can reverse the damaged done by PClock as well as unlocked the files PClock has encrypted and locked.<\/p>\n

\n

New Ransomware Alert: CryptoLocker copycat PClock discovered<\/h1>\n<\/blockquote>\n<\/header>\n
\n
\n
\n
\n

Ransomware CryptoLocker was\u00a0one of the most infamous malware families<\/strong> of the years 2013 and 2014 and although the operation behind the original CryptoLocker malware family has been dismantled in 2014, it\u2019s still a name that frightens a lot of users and system administrators alike. It is therefore\u00a0not surprising that other malware authors try to capitalize\u00a0on\u00a0CryptoLocker\u2019s reputation by releasing copycats. One of the most recent copycats that we became aware of is a ransomware named PClock that showed up just a day ago. Unlike CryptoLocker though, which was a somewhat complex and sophisticated piece of malware, PClock is quite primitive by nature.<\/p>\n

72-hour countdown timer to pay USD$300 ransom<\/h3>\n

Like all file encrypting ransomware (also known as crypto malware) PClock\u2019s main goal is to encrypt important files on the victim\u2019s system in order to compel them to pay a ransom<\/strong> in return for their files. Like CryptoLocker it gives the user a 72-hour ultimatum to pay the ransom of 1 bitcoin (approximately USD $300). Otherwise it claims to destroy the keys required to decrypt the user\u2019s files:<\/p>\n

\"^F484B8B773DF2857BE46FFE49E9230AB939DBE26ADBFCE98A7^pimgpsh_fullsize_distr\"<\/a><\/p>\n

If a user does\u00a0not pay the ransom within the allotted time, it will display a last_chance.txt<\/span><\/strong> file that tells the user\u00a0to download the malware again, which supposedly gives you another 3 days to make the payment. In reality though PClock does not destroy any keys, so the countdown is pretty much meaningless.<\/p>\n

How PClock infects a new system<\/h3>\n

At this point it is not entirely clear how PClock, which is written in Visual Basic 6, enters a user\u2019s system. Once it manages to to execute on the victim\u2019s system however, it will copy itself to the current user\u2019s application data folder using the sub-folder \u201cWinCL\u201d and the file name \u201cWinCL.exe\u201d. It then establishes persistence by creating a new registry value within the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key named \u201cwincl\u201d pointing towards the newly created WinCL.exe executable. The malware then tries to encrypt the victims\u2019s files. It specifically targets files with one of the following extensions:<\/p>\n

*.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.h, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.jpe, *.jpg, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx<\/p>\n

Every files the malware tries to encrypt is recorded within a file named \u201cenc_files.txt\u201d located in the victim\u2019s profile folder. After the encryption has finished the malware will try to delete and disable all shadow copies. Shadow copies<\/strong>\u00a0is the technology that powers the Windows\u2019 \u201cPrevious Version\u201d feature that allows a user to restore previous versions of a file. This feature is often used by ransomware victims to recover their files so a lot of ransomware families started to destroy any previous versions created by the shadow copy\u00a0service. Last but not least the malware will create a shortcut to itself on the victims\u2019s desktop and change the victims\u2019s desktop wallpapter to the following picture:<\/p>\n

\"wallpaper\"<\/a><\/p>\n

During the infection and encryption process the malware will try to maintain a log on\u00a0the malware author\u2019s command and control server:<\/p>\n

P04552 8:08:02 AM Files encrypted
\nP04552 8:08:02 AM STATE: CRYPTED_OK
\nP04552 8:08:02 AM Delete shadows
\nP04552 8:08:04 AM Shadows: no ADMIN
\nP04552 8:11:06 AM Shadows deleted
\nP04552 8:11:06 AM STATE: SHADOWS_OK
\nP04552 8:11:06 AM Prepare
\nP04552 8:11:08 AM Saved BTC price \u2013 330
\nP04552 8:11:11 AM Shortcut created
\nP04552 8:11:12 AM STATE: PREPARE_OK
\nP04552 8:11:12 AM Change wallpaper
\nP04552 8:11:13 AM Wallpaper changed<\/p>\n

This excerpt shows an example of an infection taking place to give you an idea about what is being logged.<\/p>\n

PClock: a lot of show but little substance<\/h3>\n

Similar to the countdown, the ransom note is far from the truth as well and even though the malware may look somewhat professional at first glance it becomes obvious\u00a0quickly that the people behind it are amateurs at best<\/strong>. The encryption algorithm used for example is just a simple XOR based obfuscation that uses a constant key on all systems. Due to that we are able to provide a decrypter<\/strong> that can be found further down this post. A more severe sign for the lack of professionalism is the fact that the malware contains several disastrous\u00a0bugs<\/strong> that may cause data loss on the victim\u2019s system. If the malware encounters a particularly large file for example that is too big to fit into\u00a0memory the malware\u00a0will end up truncating the existing file instead of encrypting it. The result is a 0-byte file that contains neither the original nor the encrypted file content. Once the malware messed up a file like that the last hope for the victim\u00a0are data recovery tools.<\/p>\n

How to unlock\u00a0your encrypted files<\/h3>\n

As mentioned before the encryption used by PClock is extremely weak and can easily be reverted. To help and guide you in that process we developed a small decrypter utility. Our decrypter will enable\u00a0you to decrypt any PClock encrypted files that haven\u2019t been damaged<\/strong> beyond repair by the malware and clean up your computer without having to pay the ransom. You can download our decrypter here:\u00a0http:\/\/emsi.at\/DecryptPClock<\/a><\/p>\n

\"^F254945C1D47C5B6AD5EA4A9008FFD763FF5A536B9741BE0D4^pimgpsh_fullsize_distr\"<\/a><\/p>\n

\"^3FACE4A13E8DAD75E8747860F17ACCFC831B6E2D922847791E^pimgpsh_fullsize_distr\"<\/a><\/p>\n

The decrypter will use a list of encrypted files the malware stores on the victim\u2019s system to determine which files are in need of decryption. This list is loaded automatically when you start the decrypter and in theory all you would have to do is load up the decrypter and hit the \u201cDecrypt\u201d button. In practice it isn\u2019t that simple though due to the fact that the malware does not provide enough information for the decrypter to be absolutely sure that the decrypted file is exactly like the original unencrypted one that the malware targetted. We therefore decided to play it safe and keep backups of all encrypted files<\/strong>. These backups will take a lot of disk space and essentially double the amount of space required on your hard disk to hold both the decrypted file as well as the encrypted backup. If you are running low on disk space you can disable the backups in the decrypter\u2019s option menu. This should be a last resort though and before you try to use the decrypter that way you should try the decrypter out on a small number of test files that you can verify manually to make sure the decrypter is operating correctly.<\/p>\n

If you don\u2019t feel comfortable performing the decryption process on your own, feel free to create a support request in our support forum<\/a> or send us an email<\/a>.<\/p>\n

UPDATE\u00a02015-01-06, 8PM UTC:<\/strong> An updated version of PClock was released where this decrypter does not work with yet. We\u2019re working on an update. Please return in a couple of hours if you are affected by the threat. Please also read this thread<\/a> at the Bleepingcomputer forum where this topic is discussed.<\/p>\n

UPDATE 2015-01-09:<\/strong> the malware authors released\u00a0two more versions of PClock. The good news is that the Emsisoft decrypter is ready and works for both versions. You\u00a0can download the Emsisoft decrypter version 2\u00a0here<\/a>. Read theinstructions <\/a>thoroughly first on page 8 in the Bleepingcomputer forum discussion.<\/p>\n

Emsisoft\u2019s Fabian develops the decrypters in his spare time for victims of ransomware. We\u2019d appreciate it if you\u00a0share this post\u00a0so that more victims of PClock can be helped…<\/p><\/blockquote>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Our friends at Emsisoft are on the ball and are on top of a new ransomware called PClock which copies CryptoLocker. If a computer is infected with PClock the user will be asked to pay a $300 ransom to unlock their files. In other words, if you don’t pay the ransom you’ll not be able to open many\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1655,1433,1669,1426,1670,1656,779],"tags":[],"_links":{"self":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/8936"}],"collection":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/comments?post=8936"}],"version-history":[{"count":7,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/8936\/revisions"}],"predecessor-version":[{"id":8943,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/8936\/revisions\/8943"}],"wp:attachment":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/media?parent=8936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/categories?post=8936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/tags?post=8936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}