New Cryptolocker copycat PClock2 discovered that targets over 2,500 file extensions

One of the biggest ransomware threats of the last few years, Cryptolocker, was discovered in late 2013. It has been reported that the makers of Cryptolocker made approximately USD$30 million in the first 100 days of operation, and it therefore is no surprise that many variants and copycats emerge that try to capitalize on Cryptolocker’s reputation. Earlier this year, we discovered a Cryptolocker copycat named PClock, for which we developed a decrypter to help victims get their files back without paying the ransom. Now, a new variant of PClock and another copycat of Cryptolocker has emerged: PClock2.

PClock2 demands 0.5 bitcoin ransom to decrypt files

Like other types of ransomware, the main goal of PClock2 is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files. PClock2 encrypts files using a randomly generated key and the RC4 algorithm. Like most other variants it also demands payment in bitcoin and provides the user with a limited time window to produce it. The malware also falsely proclaims that 0.5 bitcoin (the demanded ransom) is approximately equal to US$ 0 while the accurate conversion amounts to almost US$128.

Similar to its predecessor PClock, this variant closely resembles Cryptolocker visually as well:

Windows 7-2015-04-08-01-17-53

This malware also recommends users to turn off their antivirus programs in order to save itself from deletion. The application window is clearly meant to threaten and mislead users.

PClock2 behavior and infection methods

PClock2 usually enters the user’s system via infected torrent downloads. Once on a victim’s computer, PClock2 establishes persistence on the system using the following Registry entry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
    “wincl” = “%APPDATA%\WinDsk\windsk.exe”

PClock2 saves additional details about the infection, like the Bitcoin payment address, here:

  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK

What’s interesting is that PClock2 targets 2583 file extensions which is a lot more compared to earlier types of ransomware we have come across. Since so many different file extensions are targeted, the list became too lengthy to post in this blog post. The command and control servers for this malware are located in these domains:

  • http://balanzic.nl
  • http://blog.knewmart.com
  • http://nrg.facelook.no
  • http://www.9188com.com
  • http://dota2arcana.com
  • http://faceoftopgame.sk
  • http://thebatikapartemen.com
  • http://www.42kiralama.com

The extracted malware files are stored locally in the following locations:

%APPDATA%\WinDsk\windsk.exe – The malware executable
%APPDATA%\WinDsk\windskwp.jpg – The wallpaper generated by the malware
%DESKTOP%\CryptoLocker.lnk – A shortcut to the malware executable
%USERPROFILE%\enc_files.txt – The list of encrypted files

After encrypting all the files it can find, the ransomware changes the user’s desktop background to this image:

Windows 7-2015-04-08-01-18-29

How to recover your files without paying the ransom

Luckily PCLock2 is nowhere near as powerful as it claims to be and none of your files have actually been damaged. Our malware research team has designed a decrypter that will allow you to easily restore your locked files, without paying the ransom. You can download the decrypter here.

The decryption process is fairly easy as illustrated by these screenshots:

decrypter1

 decrypter2

If you don’t feel comfortable performing the decryption process on your own, feel free to create a support request in our support forum or send us an email. We’d appreciate it if you share this post so that more victims of PClock2 can be helped to recover their files.

Prevention is always better than cure which is why we always recommend regular backups and a strong antivirus program that protects you from getting infected in the first place.

Have a nice (ransomware-free) day!

  • Victor Julio Madrigal

    Hi the 8/4/2015 My Pc was infected with the virus same situation, I download decrypt_pclock2.exe but when i tried open show me error “The decryption key for your system could no bet found. There is unfortunately no way to decrypt your files…..” Please somebody Help with the Problem

  • art

    hi 07/27/2015
    I got some cryptowall 3.0 rsa-2018 http://en.wikipedia.org/wiki/RSA_(cryptosystem)
    only files from adobe and jpegs cannot be open it shows wrong format file, files has not any file weird extention , when rename file, files becomes damage, is not in my computer , my computer is fine , some how it is in my external hard drive through the modem ! don’t know how it happened. , if somebody can help. also downloaded from this website tool but is says no plock2 was found, thanks art

  • Mohamed

    Hello, my pc has been infected by pclock2 and I tried to decrypt it and got the message “your system is not infected by pclock2″… The problem is that I deinfected my system before discovering this amazing tool. I wish there will be a solution for my case. Thank you.
    Regards.

  • Henry Eze

    I got infected by this on 11 November 2016. My anitvirus took it out, but it had already messed my files, but it did not change the extension name.

    The decrypter refuses to run, telling me it did not find any infection of pclock2. Please help wih suggesitons.

    Thank you

    • Thomas

      Hello,
      I have a similar problem. The program wrote: “No previous PClock infection found” …
      “This system does not appear to have been targetted by the PClock malware in the past. To prevent you from damaging your files by accident the decrypter will close now.”

      Can you help me?

      Thank you

      • blabla

        Hi,

        I have the exact same problem since I reinstalled the OS and my encrypted files are located on a separate drive.

        Thanks!

    • Paul Abruzzo

      I am in the same situation. I got hit on November 28th. It encrypted my files but it DID NOT change the extension and it DID NOT give me a ransom note! I just left me with a ton of encrypted files. I downloaded Malware bites and it found a bunch of stuff related to cryptolocker and removed it but I still can’t get anything to decrypt my files. Any ideas?

      • Henry Eze

        Hello Paul
        From my online research, there seems to be no current solution to this ransomware. Unfortunately, I had no much back up to all my files.
        I cut my losses and damage, and moved on with a few things left. I still have the tons of encrypted files on the system (hoping someday a remedy would pop in).
        If you made back-ups, I suggest you move ahead with them.
        I am always an advocate for backing up files to others, but do not always back up myself. I learnt the hard way this time.
        All the best!

        • Paul Abruzzo

          Thank you Henry. I have a lot of stuff backuped so I was able to restore a large amount, but like you, there are still some files I did not have backups for and I am saving them in the hopes that in the future I will be able to find a way to reverse the encryption. Thanks.

        • David Biggar

          You’re correct, depending on the version of PCLock. There is more than one version, and the latest ones are indeed not decryptable (at this time).

  • Henning Berge

    Hello,
    i got the pclock virus and i try decrypt_pclok2 program. The program wrote: “No previous PClock infection found” …
    “This system does not appear to have been targetted by the PClock malware in the past. To prevent you from damaging your files by accident the decrypter will close now.”

    is it possible to help me with this problem :)

    • Emre Kirpiksiz

      I have a same problem.. Do you solved?

      • Henning Berg

        I have paid them The ransom and i got almost my picture and movies back. I dont know why it didnt work on all files but i got 90 % back 😕

  • Sukalyan Dey

    Like Mohamed, Henry Eze and Thomas, I have a similar problem. My PC got infected a fortnight ago. it got detected and Malwarebytes removed the virus.When I installed and ran the decrypt_pclock2.exe, the program wrote: “No previous PClock infection found” …
    “This system does not appear to have been targetted by the PClock malware in the past. To prevent you from damaging your files by accident the decrypter will close now.”
    The problem is that it mimics Cryptolocker and hence normally we tend to run the antivirus and delete it. It is only afterwards that we get to know that it is PClock ransomware. So, unless you improvise your system to run and decrypt the infected files regardless of the presence of virus, the software loses much of its purpose. Please enable your software to decrypt the files even if the virus has been removed. If it cannot be done, please reply so that I can delete the junk of encrypted files.

  • Alvaro Legado

    i HAVE THE SAME PROBLEM THAN THE OTHERS! Attack in 27th April 2017, I removed the virus but decrypter did not detect PClock. There is a way to decrypting this? Two important music productions I need to recover