Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PClock Ransomware Support and Help Topic


  • Please log in to reply
135 replies to this topic

#106 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 09 June 2017 - 08:59 PM

So godsys is uncurable in terms of decryption? I mean the way it affects the files



BC AdBot (Login to Remove)

 


m

#107 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 09 June 2017 - 09:06 PM

So godsys is uncurable in terms of decryption? I mean the way it affects the files

 

Correct. The newer variants are not decryptable...

 

https://www.bleepingcomputer.com/forums/t/561919/pclock-ransomware-support-and-help-topic/?p=4145724

https://www.bleepingcomputer.com/forums/t/561919/pclock-ransomware-support-and-help-topic/?p=4201483

https://www.bleepingcomputer.com/forums/t/561919/pclock-ransomware-support-and-help-topic/?p=4243538



#108 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 09 June 2017 - 09:28 PM

I can give you a dropbox link to the rar archive where i put all the files i could physically locate that are associated with abovementioned godsys i believe

https://www.dropbox.com/s/zp3epnalieecsmq/WinRAR%20archive%20%282%29.rar?dl=0

God, this impossibility to decrypt will force me to spend hundreds of hours to recover at least 90 % of my files.



#109 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 09 June 2017 - 09:43 PM

I can give you a dropbox link to the rar archive where i put all the files i could physically locate that are associated with abovementioned godsys i believe

https://www.dropbox.com/s/zp3epnalieecsmq/WinRAR%20archive%20%282%29.rar?dl=0

God, this impossibility to decrypt will force me to spend hundreds of hours to recover at least 90 % of my files.

 

You can backup the encypted files and hope there might be a solution in the future.

 

That's why doing frequent full disk image backups and daily backups of volatile personal files is important.

 

https://www.hanselman.com/blog/TheComputerBackupRuleOfThree.aspx

 

Hard lesson to learn.


Edited by jwoods301, 09 June 2017 - 10:05 PM.


#110 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 09 June 2017 - 10:32 PM

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...again it never hurts to try.

If that is not a viable option, the only other alternative as noted by jwoods301 is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#111 MishaZip

MishaZip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 12 June 2017 - 10:45 AM

I was told the the encrypted files have virus in them. I mean i deleted the virus (i guess) but i kept the files. Are the files virus-wise dangerous?

Can i keep them on my hard drive and be safe? 



#112 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 12 June 2017 - 02:34 PM

The encrypted files do not contain malicious code so they are safe.

However, imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#113 ldme32

ldme32

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 19 June 2017 - 06:06 PM

Hi i git the ransom file....

 

this it what it says the note:

 

Your personal files encryption produced on this computer: photos, videos, documents, etc.
Encryption was produced using a unique public key RSA-2048 generated for this computer.
 
To decrypt files you need to obtain the private key.
 
If your time is up, or you or your antivirus deleted CryptoLocker from your computer,
and you do not see CryptoLocker window - the latest copy of the key remains our support.
 
To obtain the private key for this computer, you need pay 0.25 Bitcoin (~652 USD)
 
---------------------------------------------------------------------------------------------------
 
Your Bitcoin address:
 
192sSS97tjySJzupYo3D7pPt5vB9R6Xnuw
 
You must send 0.25 Bitcoin to the specified address and report it to e-mail customer support.
 
In the letter title you must specify your Bitcoin address to which the payment was made.
 
Support e-mail: sp02@protonmail.com sp02@t.pl
 
Please do not contact customer support with the request to get the key for free.
Such messages will be marked as spam and decryption in the future will be impossible.
 
Thank you for understanding.
 
---------------------------------------------------------------------------------------------------
 
The most convenient tool for buying Bitcoins in our opinion is the site:
 
 
There you can buy Bitcoins in your country in any way you like, including electronic payment systems,
credit and debit cards, money orders, and others.
 
Instructions for purchasing Bitcoins on account localbitcoins.com read here:
 
 
Video tutorial detailing on buying Bitcoins using the site localbitcoins.com here:
 
 
Please check other ways to buy bitcoins:
 
 
 
Also you can use to buy Bitcoins these sites:
 
https://www.bitstamp.net/ - Big BTC exchanger
https://www.coinbase.com/ - Other big BTC exchanger
https://btcdirect.eu/ - Best for Europe
https://coincafe.com/ - Recommended for fast, many payment methods
https://bittylicious.com/ - Good service for Europe and World
 
---------------------------------------------------------------------------------------------------
 
Please do not try to decrypt the files by third-party decryptors, an error that allowed
to decrypt files for free, it has been found and corrected as early as one of the earliest versions.
Decrypt the files for free at the moment is impossible. Do not waste your time!
 
Attention!
 
After 168 hours, we reserve the right to increase the amount of the payment at its discretion.


#114 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 19 June 2017 - 06:23 PM

Unfortunately, newer PClock variants are not decryptable and there is no longer any way to provide decryption without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#115 lipos

lipos

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beirut Lebanon
  • Local time:04:45 PM

Posted 21 June 2017 - 06:40 AM

Thank you for this great forum and all the great information you share! 

I've read all the topics regarding Cryptolocker (the new clones) and this one, id ransomware identified my ransomware as a Pclock (updated) and i thought i share my findings hopefully it will be helpful someday to decrypt the affected files ( .jpg , .txt, .pdf, .zip, .rar etc ... .mp3 and .wav are not affected among others) 

 

I got the ransomware i think thru a legit windows pop up about an update, i canceled the first time and it re popped up so i did the innocent mistake of clicking yes. (someone here mentioned earlier the same thing happening) 

 

The file name that originated the ransomware is wxdsys.exe, i already deleted the file using Hitman Pro (i wish i had uploaded the file here before deleting, i read the forum after deleting) 

Now one thing that caught my attention was that the recycle bin contained an unnamed with no extension file which is huge (around 600 000 000 000 000 kb) and the date deleted mention is 7/7/7533 , date modified on 06/19/2017 .. i got the ransomware pop up on 06/20/2017 !! 

 

As i've read before (i hope i understood well, i had to absorb all the information from yesterday to today barely sleeping) that the ransomware creates an encrypted copy of the original files and deletes the original files, what if the original files are in the recycle bin in that file ?  Perhaps there is a way to retrieve the deleted files from the recycle bin? 

I've tried Shadow Explorer with no luck, i tried System recover which had only one restore point which was the "windows update", tried restoring to that point (that was before deleting the ransomware, should i try now after deleting ??? would it help recovering my files?) and i still want to try using file recovery softwares. 

Im in no way paying the criminals back for the files even though i am a music producer with really important zip files affected (i ll re compose every piece i made and not support those crooks!), i was willing to pay Dr Web or Alessandro the italian guy (when i thought i had a Crypt0l0ck) but after reading this forum since you said there is no solution i'm rethinking about contacting them to hear negative feedbacks. 

Btw im located in beirut lebanon if that helps in geo locations affected. 

Hope my comment will help someone in decrypting ! 



#116 kolonita

kolonita

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 June 2017 - 03:14 PM

Did u restore ur files 

 My laptop has been hit by cryptolocker ( Your files are locked ) note 

I realy don't know what to do ( tried malware bytes, hitman pro , avg ) no joy 



#117 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 21 June 2017 - 03:24 PM

PClock (and PClock2) is a Cryptolocker copycat that does not append an obvious extension to the end of the encrypted data filename or use a filemarker. PClock2 will leave files (ransom notes) with names like Your files are locked !.txt and Your files are locked !!!!.txt.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Note: Disinfection will not help with decryption of any files affected by the ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#118 McDano

McDano

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 25 June 2017 - 01:45 AM

Thank you for this great forum and all the great information you share! 

I've read all the topics regarding Cryptolocker (the new clones) and this one, id ransomware identified my ransomware as a Pclock (updated) and i thought i share my findings hopefully it will be helpful someday to decrypt the affected files ( .jpg , .txt, .pdf, .zip, .rar etc ... .mp3 and .wav are not affected among others) 

 

I got the ransomware i think thru a legit windows pop up about an update, i canceled the first time and it re popped up so i did the innocent mistake of clicking yes. (someone here mentioned earlier the same thing happening) 

 

The file name that originated the ransomware is wxdsys.exe, i already deleted the file using Hitman Pro (i wish i had uploaded the file here before deleting, i read the forum after deleting) 

Now one thing that caught my attention was that the recycle bin contained an unnamed with no extension file which is huge (around 600 000 000 000 000 kb) and the date deleted mention is 7/7/7533 , date modified on 06/19/2017 .. i got the ransomware pop up on 06/20/2017 !! 

 

As i've read before (i hope i understood well, i had to absorb all the information from yesterday to today barely sleeping) that the ransomware creates an encrypted copy of the original files and deletes the original files, what if the original files are in the recycle bin in that file ?  Perhaps there is a way to retrieve the deleted files from the recycle bin? 

I've tried Shadow Explorer with no luck, i tried System recover which had only one restore point which was the "windows update", tried restoring to that point (that was before deleting the ransomware, should i try now after deleting ??? would it help recovering my files?) and i still want to try using file recovery softwares. 

Im in no way paying the criminals back for the files even though i am a music producer with really important zip files affected (i ll re compose every piece i made and not support those crooks!), i was willing to pay Dr Web or Alessandro the italian guy (when i thought i had a Crypt0l0ck) but after reading this forum since you said there is no solution i'm rethinking about contacting them to hear negative feedbacks. 

Btw im located in beirut lebanon if that helps in geo locations affected. 

Hope my comment will help someone in decrypting ! 

 

Same experience...



#119 GPekov

GPekov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 25 June 2017 - 02:01 AM

After the Cryptolocker hit on my PC I have denied Windows OS and use Linux instead. Though I wonder if this scum can affect Linux too?


Edited by GPekov, 25 June 2017 - 02:03 AM.


#120 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 25 June 2017 - 06:40 AM

After the Cryptolocker hit on my PC I have denied Windows OS and use Linux instead. Though I wonder if this scum can affect Linux too?


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users