Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PClock Ransomware Support and Help Topic


  • Please log in to reply
118 replies to this topic

#1 Shaps

Shaps

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 06:11 AM

To whom it may concern:

 

Happy New Year! To kick it off in style, all my memories have been nicked.

 

I've been targeted by ransomware which I've somehow foolishly let onto my system. It's giving me a countdown of 50hrs to cough up one bitcoin. I've tried www.decryptcryptolocker.com, which doesn't recognise any of the encrypted files as encrypted, leading me to believe this is a copy cat program and not the true Cryptolocker.

 

Not all files have been encrypted, which is slightly odd; I wouldn't mind so much about what has been lost if it weren't for the fact that all my photographs are currently encrypted, posing the loss of much sentimental value.

 

I have looked into Shadow Explorer, Decryptolocker and the "Past Versions" tab of Properties. No joy.

 

The Exe for the virus itself is located in AppData/WinCL. The Exe is called WinCL.exe.

 

As such, my questions are twofold:

1) Is there any chance of getting my files back, or are they irretrievable?

2) How can I purge my system of this virus? I use Avast, which was pretty good up until now - but even a direct scan of the Exe comes up as "no threat"!

 

I hope that someone may hear my plea. Please find attached a screenshot of the ransom demand in order to aid identification of this virus.

 

Yours faithfully,

User Shaps.

 

P.S.: It appears that WinCL is a front program which brings up the ransom demand screen which I have attached, enabling you to pay them.

Attached Files


Edited by hamluis, 03 January 2015 - 08:06 AM.
Moved from Win 8 to General Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 03 January 2015 - 08:49 AM

We have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit any of the malware files that you suspect were involved in causing the infection. Doing that will be helpful with investigating.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Shaps

Shaps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 09:10 AM

Quietman7,

 

A sample has been submitted. My many thanks. Hopefully we can get to the bottom of this.


Edited by Shaps, 03 January 2015 - 09:10 AM.


#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:57 AM

Posted 03 January 2015 - 10:42 AM

Looks like the file can be decrypted. Can you please upload a second file so I can confirm my findings? Can you also please check your system for a file named enc_files.txt and upload it as well if you manage to find it?

 

Thanks :).


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 Hzrdgrl

Hzrdgrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:04:57 AM

Posted 03 January 2015 - 11:42 AM

It looks like I have the same virus. I was hit on January 1st. Screenshots similar to the first poster and an .exe file of the same name on my computer. It has also hijacked all my photos and documents backed up onto an external hard drive and corrupted my Dropbox (which, I believe, can be rescued through their versioning system). 

 

Will upload a file sample momentarily to the website listed in this thread. 

 

Hoping for good thoughts to save my photos and documents.



#6 savvast

savvast

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 11:48 AM

Hello, 

 

I have the exact same problem. Is there a workaround?

 

Best, 

ST



#7 Hzrdgrl

Hzrdgrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:04:57 AM

Posted 03 January 2015 - 11:50 AM

Also uploaded my enc_files.txt file.



#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:57 AM

Posted 03 January 2015 - 11:53 AM

Files can be decrypted. I still need the enc_files.txt from an infected system though to figure out the format. The malware doesn't "mark" files that are encrypted in a reliable way. So it is unfortunately impossible to figure out based on the file alone whether it is encrypted or not and has to be decrypted. The malware instead maintains a list of files that it encrypted and we need to use that list to figure out which files need to be decrypted. Otherwise we end up damaging unencrypted files. I haven't gotten such a file list yet though.


Also uploaded my enc_files.txt file.

Great! Thanks :).


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#9 Hzrdgrl

Hzrdgrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:04:57 AM

Posted 03 January 2015 - 11:56 AM

If you can help me salvage my files ... I'll owe you a really big beer. :-)



#10 savvast

savvast

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 12:03 PM

I have also uploaded an encrypted file.

 

Hope this helps!



#11 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:57 AM

Posted 03 January 2015 - 12:19 PM

I am German, but I don't like beer :). Anyways, the decrypter works on my system. There are some limitations though. The most significant one is that it can't figure out whether it decrypted your files properly. So as a precaution it will instead create a backup copy of the encrypted file.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#12 Shaps

Shaps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 12:21 PM

I have uploaded another encrypted file, and my enc_files.txt document. The problem is that not all of the files on the enc_files.txt are actually encrypted!



#13 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:57 AM

Posted 03 January 2015 - 12:34 PM

I have uploaded another encrypted file, and my enc_files.txt document. The problem is that not all of the files on the enc_files.txt are actually encrypted!

That will pose an issue. Will have to rethink how to implement the decrypter then.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#14 grknyer

grknyer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 03 January 2015 - 12:37 PM

It seems that the files that get encrypted are the jpg files and when attempting to open they won't. The word documents appear to open and look normal even though it says they are encrypted. Hope this helps.


Edited by grknyer, 03 January 2015 - 12:38 PM.


#15 savvast

savvast

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 January 2015 - 12:38 PM

Wincl.exe seems to  be working as long as the PC stays online. In my case, whereas in the beginning some of the files seemed to not be encrypted, eventually they all did. I believe this was also the case with the original cryptolocker virus.

 

Excuse my questions however I am new to the forum. Is the decrypter available for download?

 

 

Best, 

ST






1 user(s) are reading this topic

1 members, 0 guests, 0 anonymous users


    MickyMouse