Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PClock Ransomware Support and Help Topic


  • Please log in to reply
131 replies to this topic

#16 Hzrdgrl

Hzrdgrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:02:57 AM

Posted 03 January 2015 - 12:40 PM

I have a wide variety of file types that have been encrypted. Mostly .jpg's but lots of Word docs and some .pdf's among others.

More than happy to upload more, if needed.

BC AdBot (Login to Remove)

 


m

#17 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 03 January 2015 - 12:48 PM

Excuse my questions however I am new to the forum. Is the decrypter available for download?

Not yet. Please understand that I want to make absolutely sure that the decrypter doesn't cause more harm than it does good by decrypting files that don't need decrypting. It will take another hour or so until I finished all my tests to make sure it is stable. I will let you know once it is available.


Edited by Fabian Wosar, 03 January 2015 - 12:57 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#18 Shaps

Shaps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 03 January 2015 - 01:46 PM

Mr. Savvast,

I'm not noticing any progressive "encryption creep", but then it's only been 12 hours and there are a lot of files.

Then again, I quickly found the WinCL process in task manager and ended it manually, so that might have something to do with it.

 

Also, Herr Wosar, might the decrypter work for photographs?

 

My many, many thanks again.


Edited by Shaps, 03 January 2015 - 01:46 PM.


#19 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 03 January 2015 - 02:59 PM

I finished the decrypter. Before I give you the link, I need to explain a few things though first:
 
As I mentioned before the malware doesn't leave any indication behind whether a file has been encrypted or not. That means there is no good way to figure out whether or not a file is encrypted. The file list the malware created doesn't help much either unfortunately as some of the files listed in that list are not encrypted. My decrypter tries to use the file list as good as it can to figure out which of those files have been encrypted and which haven't. That method isn't 100% accurate though. 
 
Therefore, whenever the tool tries to decrypt a file it will create a backup of the encrypted file first. This backup will have the same name as the encrypted file but with the *.decbak extension. After you checked that your files have been decrypted you can use the Windows file search function to search for all *.decbak files and delete them in one swoop. However, since we do keep the backup it means that your data will take up a lot more space on your hard drive. You can disable the creation of the backup files in the options tab, but I strongly suggest you not to unless you run into space issues otherwise. If you do have to disable the option, I suggest you first try the decrypter on a few copies first. To do so, create a new folder somewhere and copy a few encrypted files into that folder. Then click the "Clear files" button to remove the file names obtained from the malware's encrypted file list and add the files you just copied manually using the "Add file(s)" button. Then click "Decrypt" and check that all of your test files have been decrypted properly. If they have been, just restart the decrypter to get the malware's file list back, disable the backup option and hit Decrypt to decrypt your actual files in place.
 
If for some reason you end up decrypting a file that wasn't encrypted to begin with, you can restore the file by just decrypting the file again. I did my best to avoid this situation, but since the malware is poorly written you may end up in that situation.
 
Okay, now that we have that out of the way, you can download the decrypter here:
 
http://emsi.at/DecryptPClock
 
If you run into any issues, please let me know. You can either post here or send me an email. If this decrypter worked for you, please post some feedback. Increased post frequency will increase the search ranking of this thread in search engines like Google, making it easier for other victims of the same malware to find the topic and the solution to their problem.

Edited by Fabian Wosar, 03 January 2015 - 04:18 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#20 stratslngr

stratslngr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 03 January 2015 - 03:15 PM

I have this exact cryptolocker copy I believe. It manifested yesterday morning. I have Wincl.exe process and the enc_files.txt file in my user folder. How can I help you and will your decryptor work for me? I have an outlook.pst file soecifically I need to recover. It is showing a file size of 0kb however. Is the file hidden, moved, etc.



#21 Shaps

Shaps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 03 January 2015 - 03:18 PM

Herr Wosar!

 

This works perfectly! You've saved me all my photographs from over the past few years, the sentimental value of which I cannot overstate. You are truly a god amongst men!

 

I found that if you're willing to put a little more time into it, one can go through folder by folder and decrypt whatever one finds by clearing the list on the decrypter, finding the folder in question and then doing exactly as you prescribe.

 

I cannot thank you enough. You have saved a young fool.

 

I have one last question. If I now plug in a back-up drive, will the virus transfer itself over to the drive or is this a one-time operation? Am I safe to back everything up anew?

 

My thanks once more.



#22 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:02:57 AM

Posted 03 January 2015 - 03:23 PM

Someone came on my forum with that infection. I redirected it to BleepingComputer and he now have a thread open here to get rid of it. I'll also link him your reply Fabian. Thank you for everything that you're doing :)

Edited by Aura., 03 January 2015 - 03:23 PM.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#23 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 03 January 2015 - 03:34 PM

How can I help you and will your decryptor work for me? I have an outlook.pst file soecifically I need to recover. It is showing a file size of 0kb however. Is the file hidden, moved, etc.

If the malware didn't damage the file, which may happen unfortuntely, the decrypter will be able to decrypt the file. However, if the PST file has a size of 0 on your system, chances are the malware damaged the file. Sorry. 
 

Herr Wosar!

Please, call me Fabian. Herr Wosar is my dad ;).
 

This works perfectly! You've saved me all my photographs from over the past few years, the sentimental value of which I cannot overstate.

I am glad my small tool was of help :).
 

I found that if you're willing to put a little more time into it, one can go through folder by folder and decrypt whatever one finds by clearing the list on the decrypter, finding the folder in question and then doing exactly as you prescribe.

Yes, in general that will work as well. But it can take a long time if you have a lot of files/folders.
 

I have one last question. If I now plug in a back-up drive, will the virus transfer itself over to the drive or is this a one-time operation? Am I safe to back everything up anew?

The decrypter will remove the malware if it is found on your system. So your files should be safe from at least the PClock malware that encrypted your files previously. There is a catch though. At this point we have no idea how this particular malware infects a system. There is a good chance that PClock is just a secondary infection that was placed on your system by a different malware entirely which may still be active. So I strongly suggest you create a malware removal case with the excellent malware removal staff here so they can make sure your system is clean. You can create a malware removal request here:

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
 

Someone came on my forum with that infection. I redirected it to BleepingComputer and he now have a thread open here to get rid of it. I'll also link him your reply Fabian. Thank you for everything that you're doing :)

You are very welcome. Make sure to mention that he should invest in a good backup solution in your closing speech ;).

Edited by Fabian Wosar, 03 January 2015 - 03:34 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#24 Hzrdgrl

Hzrdgrl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:02:57 AM

Posted 03 January 2015 - 03:37 PM

Thank-you!!


Edited by Hzrdgrl, 03 January 2015 - 03:38 PM.


#25 stratslngr

stratslngr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 03 January 2015 - 04:46 PM

Fabian! You are the man! Your decrypter definitely works. The pst file however was corrupted. Luckily I found one on another partition that is only slightly out of date.

 

Now my question is:

 

I want to do a new windows install on a fresh drive and, using your program, select individual folders to decrypt on the old drive from the new windows installation. Is this possible?

 

I have decrypted a couple folders already by clearing the initial list as read by your program and browsing to infected folders or individual files and it works like a charm.

 

Thank you!


Edited by stratslngr, 03 January 2015 - 04:51 PM.


#26 savvast

savvast

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 03 January 2015 - 06:33 PM

Dear Fabian,

 

the solution worked perfectly!

 

Many thanks!



#27 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 03 January 2015 - 06:41 PM

Fabian! You are the man! Your decrypter definitely works. The pst file however was corrupted. Luckily I found one on another partition that is only slightly out of date.

Yeah, I took a closer look at the malware and it contains a bug that causes large files to be corrupted instead of encrypted.
 

I want to do a new windows install on a fresh drive and, using your program, select individual folders to decrypt on the old drive from the new windows installation. Is this possible?

That will work just fine. The decryption key is the same on every system. So re-installing won't damage anything that would be required to decrypt your files.
 

I have decrypted a couple folders already by clearing the initial list as read by your program and browsing to infected folders or individual files and it works like a charm.

Thanks for taking the time and letting me know. I am glad I could be of help :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#28 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 03 January 2015 - 06:43 PM

the solution worked perfectly!

Thanks for taking the time and letting me know. You are very welcome and I am glad I could be of help :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#29 Dipsgal

Dipsgal

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 05 January 2015 - 10:58 AM

Hi

 

The decryptor worked on all my documents but not my photos. When I copy every photo into the decryptor it works though. But I have 5 years worth of thousands of photos. Will I need to copy them all across for them to be decrypted?

 

And how do I know the PClock is gone from my system?

 

Thankyou so much for developing this!



#30 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 05 January 2015 - 03:36 PM

The decryptor worked on all my documents but not my photos. When I copy every photo into the decryptor it works though. But I have 5 years worth of thousands of photos. Will I need to copy them all across for them to be decrypted?

Try running the decrypter as an administrator by right clicking the program and selecting "Run as administrator".
 

And how do I know the PClock is gone from my system?

The first thing the decrypter will do is remove the infection. At this point we have no idea how this particular malware infects a system. There is a good chance that PClock is just a secondary infection that was placed on your system by a different malware entirely which may still be active. So I strongly suggest you create a malware removal case with the excellent malware removal staff here so they can make sure your system is clean. You can create a malware removal request here:

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users