Update 1/11/15:: Please see this post for updated information on identifying the version you are encrypted with and how to use's Fabian Wosar's decryption tool.
A new ransomware called PClock has been discovered that pretends to be CryptoLocker and encrypts the data on your computer using a XOR encryption routine. This malware is dubbed PClock due to the project name found within the malware executable. How this malware is distributed is currently unknown, but once installed it will scan your computer for data files and encrypt any files that match certain file types. Once the encryption has been completed, it will display a ransom screen that displays a 72 hour timer and instructs you to send a 1 bitcoin ransom to an assigned bitcoin address in order to decrypt your files. Thankfully, Fabian Wosar of Emsisoft was able to create a decryptor for files encrypted by the PClock CryptoLocker ransomware, which is discussed further in the article.
When PClock encrypts your data files, it will store the list of encrypted files in the %UserProfile%\enc_files.txt file. The file types that this ransomware targets are:
.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc,.mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d,.raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx
When installed, the malware files will be located under %AppData%\WinCL\WinCL.exe and the main malware file is WinCL.exe. Terminating the WinCL.exe process and deleting the files will remove the infection from your computer, but will still leave your files encrypted. This ransomware will also change your desktop background to a ransom message with further instructions. The malware will then delete the Shadow Volume Copies on the infected computer by issuing the vssadmin Delete Shadows /All /Quiet command. The program will repeatedly query blockchain.info to determine if a payment has been made. If it detects a payment, it will then automatically transform itself into the decryptor and prompt you to decrypt your files as shown below.
Last, but not least, if you do not pay the ransom within the allotted time, it will display a last_chance.txt file that tells you to download the malware again, which supposedly gives you another 3 days to make payment.
The text of the wallpaper is:
CryptoLocker Your important files encryption produced on this computer: photos, videos, documents, etc. If you see this text, but do not see the "CryptoLocker" window, then your antivirus deleted "CryptoLocker" from computer. If you need your files, you have to recover "CryptoLocker" from the antivirus quarantine, or find a copy of "CryptoLocker" in the Internet and start it again. You can download "CryptoLocker from the link given below. hxxp://invisioncorp.com/au/XXXXXXXXXX Approximate destruction time of your proviate key: 1/5/2015 12:31:45 PM If the time is finished you are unable to recover files anymore! Simply remove this wallpaper from your desktop.
To decrypt your files, please download the Emsisoft Decryptor for PClock and save it to your desktop. Once downloaded, double-click on it and the program will open and automatically import the list of encrypted files from the %UserProfile%\enc_files.txt list. When you are ready to decrypt your files, simply click on the Decrypt button. More information about using this tool can be found in the next post by Fabian.
Known WinCL CryptoLocker Ransomware Files:
%AppData%\WinCL\WinCL.exe %AppData%\WinCL\winclwp.jpg %AppData%\WinCL\temp.vbs %UserProfile%\enc_files.txt %UserProfile%\last_change.txt
Known WinCL CryptoLocker Ransomware Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wincl %AppData%\WinCL\wincl.exe HKCU\Control Panel\Desktop\Wallpaper %AppData%\WinCL\winclwp.jpg