Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I canīt identify a ransomware

  • Please log in to reply
1 reply to this topic

#1 Nachosant


  • Members
  • 1 posts
  • Local time:03:41 AM

Posted 28 March 2017 - 11:50 AM

Hello everyone!


I have a little problem. Three days ago, a firewall alert popped informing of a virus. On Sunday, I cleaned up a part of my pc and found out a number of my files had been encrypted. At no time have I found a message in the desktop about the ransomware or txt indicating me to pay to recover them.


I don't know whether it's been because of me cleaning up some files, that the process could not complete and the encryption of the files did not get to the end of the process. The files have not been renamed, they have their original name and extension. The only thing I could find was a file in quarentine named "derris.dll".


I've been reading about this and in this forum and it seems it can be the "ransomware pclock", but I'm not sure. 

I've also tried to verify the type of ransomware (ID) in this website -  https://id-ransomware.malwarehunterteam.com/ - but there were no coincidences for it. 


I've been trying with multiple decrypters but I haven't been successfull. 


Here you have an encrypted file and the original file before the encryption. 


Encrypted file




Original file





Thank you in advance for your help!

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,564 posts
  • Gender:Male
  • Location:USA
  • Local time:08:41 PM

Posted 28 March 2017 - 12:40 PM

If there is no extension, and ID Ransomware could not identify it (it searches known hex patterns), it is most likely PClock based on infection rates. There is no way to be 100% without a ransom note or the malware itself though. PClock is not decryptable, you'll have to restore from backups.

Edited by Demonslay335, 28 March 2017 - 12:40 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users