It’s a new year so naturally a new ransomware infection has been found attacking computers and networks. PClock has been discovered masquarading as CryptoLocker. See image below. PClock attempts to name itself CryptoLocker, more as a scare tactic than anything, however it has been named PClock from the project name found in it’s executable file.
It is not currently known how PClock is distributed. Once installed it attempts to only encrypt certain files types, specifically photos, videos, word processing and spreadsheet files. After encryption is complete PClock changes your desktop background to the ransom screen and provides a 72 hour count down clock for the victim to pay the 1 Bitcoin ransom. Bitcoin is down a bit today, currently trading at 1 Bitcoin to $267.23 USD.
PClock regularly queries blockchain.info to determine if your payment has been received. If a payment is received it then automatically transforms itself into the decryptor and prompts you to decrypt your files.
Interestingly if you do not pay within the 72 hours you receive a file, last_chance.txt, that tells you to download the malware again and claims to give you an additional 3 days to pay. I have not seen any security firms who have actually tested that particular “feature”.
Aside from calling itself CryptoLocker and using a shield as it’s image PClock and CryptoLocker don’t have much in common. In fact PClock has a very important difference from CryptoLocker, thanks to the hard work of some in the technology security industry at Emsisoft you won’t need to pay to decrypt your files, nor have an enterprise backup running. This is generally not the case with most ransomware infections, however in this case Emsisoft has called PClock “quite primitive by nature” and it’s creators “amateurs at best.” Emsisoft has been able to provide a decryptor saving anyone unlucky enough to get this infection.
Read more about PClock on Emsisoft.com. Or if you need a help using the decryptor call you local IT support.