A brand new spam campaign disguised as emailed fax messages is distributing a malware downloader which installs a CryptoLocker clone ransomware family, called PClock. The ransomware has appeared in January 2015, and Microsoft detected it as Ransom:Win32/WinPlock.B or WinPlock, though the infection is more common under the name of PClock.
The security expert Fabian Wosar from Emsisoft created a decrypter for the older versions of the ransomware, allowing users to decrypt their files for free. However, the PClock developers updated their code and broke the decrypter in May 2015. Since then, the victims of PClock could only restore their files from backup files or by paying the ransom.
Until now, the number of PClock infections has been low but steady. A while ago, Microsoft’s security team picked up a spike in activity from the group’s operators.
In the latest spam campaign, the creators of PClock are using emails disguised as fax messages, using a subject such as “PLEASE READ YOUR FAX T6931.” However, despite the boring title, the email contains a file called “Criminal case against you,” which might get many users’ attention.
The RAR archive contains a WSF file. As soon as the PC users download and open the archive, and execute the WSF file, a JScript function starts a series of operations which download and install a malware known as Crimace, detected as TrojanDownloader:JS/Crimace.A. This threat is a malware downloader, a trojan which connects to an online server and downloads and runs other malware. In this case, it is PClock.
The PClock ransomware has been posing as a CryptoLocker clone since its appearance, no matter that much more dangerous ransomware families have emerged later on. Besides, the developers of PClock have yet to find out how to host a decryption service on the Dark Web, which is the standard method for dealing with decryption operations, preferred by most high-end ransomware threats.
After spending about two years under cover, PClock has remained an entry-level operation, demanding victims to contact the ransomware creators via email.
Currently, there is only one thing which is different – the number of targeted files. Unlike the initial PClock versions which targeted only 100+ file types for encryption, the latest variant of the ransomware targets approximately 2,630 file types.
