Remove PClock Cryptolocker Ransomware and Decrypt Encrypted Files - How to, Technology and PC Security Forum |

Remove PClock Cryptolocker Ransomware and Decrypt Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

pclock-crytolocker-image-sensorstechforum-PClock ransomware, pretending to be the notorious Cryptolocker, which is one of the first infections of this kind, has been reported to encrypt files. The crypto-virus uses the algorithm XOR to encrypt the data. The PClock ransomware wants 0.5 BTC, which is approximately 220 USD to decrypt the files and give the user access to them. However, users are strongly advised NOT to pay any ransom money, because there may be a solution to decrypt the files. If you want to remove PClock from your computer and decrypt the data, please read the instructions in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with a powerful RSA algorithm and asks a 0.5 BTC ransom payment for decryption.
SymptomsFiles are encrypted and become inaccessible. The wallpaper is changed and a window pops up, both with the ransom note, giving a deadline to pay the ransom ammount..
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by PClock


Malware Removal Tool

User ExperienceJoin our forum to Discuss PClock Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PClock Ransomware – Spread

To infect users, PClock is believed to use one of the following methods:

Infect via malicious URLs posted as referral spam messages or spam e-mails.
Infect via dangerous files that may contain JavaScript or Exploit Kits that are programmed to download the payload undetected.

To begin with, the ransomware may use the following e-mail subjects to convince users into clicking on the malicious content:

  • “Your PayPal Receipt.”
  • “Your eBay order has been confirmed.”
  • “Open the attachment to see your new credit card number.”
  • “Your account has been suspended.”

Such indirect social engineering type of attacks are the primary reason users get infected by malware. We strongly advise you to check thoroughly every URL or file you believe is suspicious before its even downloaded on your computer. One way to do this is via online security services, such as VirusTotal or HerdProtect, for example.

PClock Ransomware – More about The Threat

After infecting a computer system, PClock may create the following files on its primary drive:

In %AppData%:
\WinDsk\windsk.exe – the executable of the ransomware that may encrypt files.
\WinDsk\windskwp.jpg – the ransom message which is set as a background after a successful infection.
On %Desktop%:
CryptoLocker.lnk – a support file for paying the ransom.
In the %User’s Profile% folder:
enc_files.txt – a list which contains the names of the files that have been encrypted by the ransomware.

In addition to that, PClock also gets administrative permissions to modify the Windows Registry editor. This is done to create a registry entry that runs the malicious “windsk.exe” file every time you boot up Windows. The targeted key with values is the following:

The key:
The values in it:
“wincl” = “{location to the malicious executable}”

After finishing the setup process, PClock Ransomware start the encryption process. Researchers from the independent blog have identified that it uses the XOR cipher to encrypt files. PClock scans for the following files and encrypts them:

→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

After encrypting the files, PClock changes the wallpaper of the user, with a message that makes it look like CryptoLocker:


Furthermore, it opens up a Window with payment instructions to additionally scare off infected users into paying ransom money:


The ransomware usually gives around 72 hours to pay the ransom money of 0.5 BitCoins. After this, it threatens to destroy the private keys.

Remove PClock Ransomware after Which Decrypt the Files

“Do not pay the ransom!” – This is what malware researchers advise infected users. Luckily there is a decryptor provided for PClock by EmsiSoft, and you may download it by clicking on the web link in step “3. Decrypt files encrypted by PClock Ransomware” below.

To remove PClock, you should immediately orient towards following the instructions below. They will help you isolate this cyber-threat and remove it without damaging your system.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:


  1. AvatarJohn McClane

    Is there anyone who confirms that decrypting actually works?

    1. SensorsTechForumSensorsTechForum

      Hello John,

      The decrypter tool works, but some users report that it did not work on their PCs. Moreover, it was updated just recently, you can try it and get back to us to share your experience:



      1. AvatarJohn McClane

        Thx, it looks like my encrypted files are other type than PClock. Anyway I might use it in the future in case I need it. thx

        1. SensorsTechForumSensorsTechForum

          You’re welcome!

          Stay tuned :)

  2. AvatarAnmol

    Sir my laptop is affected by the cryptolocker and it is identified as the pclocker ransomware, how do i decrypt my files


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share