(and PClock2) does not
append an obvious extension to the end of the encrypted data filename or use a filemarker. PClock2
will leave files (ransom notes) with names like Your files are locked !.txt and Your files are locked !!!!.txt. The ransom note instructs victims to contact the cyber-criminals at "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com" to get payment instructions.
Some of the newer PClock2 variants will drop files, including the malware executable, in the %AppData%
\Roaming\\Microsoft\Crypto\RSA or %AppData%
These are some examples.
Unfortunately, newer PClock variants
are not decryptable
and there is no longer any way to provide decryption without paying the ransom. The Emsisoft Decrypter created for earlier PClock variants will not work...Fabian explains why in Post #987
There is ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.
The BC Staff