Remove PClock Cryptolocker Ransomware and Decrypt Encrypted Files

pclock-crytolocker-image-sensorstechforum-PClock ransomware, pretending to be the notorious Cryptolocker, which is one of the first infections of this kind, has been reported to encrypt files. The crypto-virus uses the algorithm XOR to encrypt the data. The PClock ransomware wants 0.5 BTC, which is approximately 220 USD to decrypt the files and give the user access to them. However, users are strongly advised NOT to pay any ransom money, because there may be a solution to decrypt the files. If you want to remove PClock from your computer and decrypt the data, please read the instructions in this article.

Threat Summary

NamePClock
TypeRansomware
Short DescriptionThe ransomware encrypts files with a powerful RSA algorithm and asks a 0.5 BTC ransom payment for decryption.
SymptomsFiles are encrypted and become inaccessible. The wallpaper is changed and a window pops up, both with the ransom note, giving a deadline to pay the ransom ammount..
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by PClock

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss PClock Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PClock Ransomware – Spread

To infect users, PClock is believed to use one of the following methods:

Infect via malicious URLs posted as referral spam messages or spam e-mails.
Infect via dangerous files that may contain JavaScript or Exploit Kits that are programmed to download the payload undetected.

To begin with, the ransomware may use the following e-mail subjects to convince users into clicking on the malicious content:

  • “Your PayPal Receipt.”
  • “Your eBay order has been confirmed.”
  • “Open the attachment to see your new credit card number.”
  • “Your account has been suspended.”

Such indirect social engineering type of attacks are the primary reason users get infected by malware. We strongly advise you to check thoroughly every URL or file you believe is suspicious before its even downloaded on your computer. One way to do this is via online security services, such as VirusTotal or HerdProtect, for example.

PClock Ransomware – More about The Threat

After infecting a computer system, PClock may create the following files on its primary drive:

In %AppData%:
\WinDsk\windsk.exe – the executable of the ransomware that may encrypt files.
\WinDsk\windskwp.jpg – the ransom message which is set as a background after a successful infection.
On %Desktop%:
CryptoLocker.lnk – a support file for paying the ransom.
In the %User’s Profile% folder:
enc_files.txt – a list which contains the names of the files that have been encrypted by the ransomware.

In addition to that, PClock also gets administrative permissions to modify the Windows Registry editor. This is done to create a registry entry that runs the malicious “windsk.exe” file every time you boot up Windows. The targeted key with values is the following:

The key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
The values in it:
“wincl” = “{location to the malicious executable}”

After finishing the setup process, PClock Ransomware start the encryption process. Researchers from the independent blog ID-Ransomware.blogspot.bg http://id-ransomware.blogspot.bg have identified that it uses the XOR cipher to encrypt files. PClock scans for the following files and encrypts them:

→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx Source:kb.wisc.edu

After encrypting the files, PClock changes the wallpaper of the user, with a message that makes it look like CryptoLocker:

note-2-2

Furthermore, it opens up a Window with payment instructions to additionally scare off infected users into paying ransom money:

note-2-1

The ransomware usually gives around 72 hours to pay the ransom money of 0.5 BitCoins. After this, it threatens to destroy the private keys.

Remove PClock Ransomware after Which Decrypt the Files

“Do not pay the ransom!” – This is what malware researchers advise infected users. Luckily there is a decryptor provided for PClock by EmsiSoft, and you may download it by clicking on the web link in step “3. Decrypt files encrypted by PClock Ransomware” below.

To remove PClock, you should immediately orient towards following the instructions below. They will help you isolate this cyber-threat and remove it without damaging your system.

Manually delete PClock from your computer

Note! Substantial notification about the PClock threat: Manual removal of PClock requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove PClock files and objects
2.Find malicious files created by PClock on your PC
3.Fix registry entries created by PClock on your PC

Automatically remove PClock by downloading an advanced anti-malware program

1. Remove PClock with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by PClock in the future
3. Restore files encrypted by PClock
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • John McClane

    Is there anyone who confirms that decrypting actually works?

    • Hello John,

      The decrypter tool works, but some users report that it did not work on their PCs. Moreover, it was updated just recently, you can try it and get back to us to share your experience: http://emsi.at/DecryptPClock2.

      Cheers,

      STF

      • John McClane

        Thx, it looks like my encrypted files are other type than PClock. Anyway I might use it in the future in case I need it. thx

  • Anmol

    Sir my laptop is affected by the cryptolocker and it is identified as the pclocker ransomware, how do i decrypt my files

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.