PencilCry Ransomware

Victims of the PencilCry Ransomware will lose access to most of their personal or work-related files. The threat is capable of affecting numerous filetypes, including PDFs, documents, archives, databases, photos, images, etc. The use of an uncrackable cryptographic algorithm makes the restoration of the locked files without the necessary decryption key not feasible.

As part of its nefarious activities, the threat will append '.pencilcry' to the original names of all affected files as a new extension. Upon encrypting all suitable data, the PencilCry Ransomware will proceed towards delivering its ransom notes. The threat will change the default wallpaper of the compromised system while also opening a new pop-up window.

Ransom Note's Details

The instructions delivered via the wallpaper are relatively short. They simply tell the ransomware's victims to check the ransom-demanding message found in the pop-up window and how to open it if it is not automatically displayed.

The proper ransom note reveals that the attackers demand to be paid a ransom of exactly $1. The funds must be transferred to the provided crypto-wallet address using the Bitcoin cryptocurrency. It should be noted that ransomware operators typically want to be paid hundreds if not thousands of dollars from their individual victims. As such, PencilCry's demand of a single dollar could be an indication that the threat has been released with testing purposes.

Furthermore, PencilCry could be mostly targeted at users speaking Portuguese as its ransom note features an English and a Portuguese version. According to the message, victims have a total of 120 hours to make the payment or their files will become locked forever.

The wallpaper message is:

'Ooops, your files are encrypted!

Please find the "Pencil Decrypt0r.exe" software on your desktop, run it and follow the instructions to get your files back!

If you cannot see the "Pencil Decrypt0r.exe" software, try restarting your computer.
If you still can't find it, make sure your anti-virus hasn't removed or quarantined it.

Thanks
TTVirus'

The English instructions shown in the pop-up window are:

'Pencil Decrypt0r v1.0

Ooops, your files have been encrypted!

Time left
Payment

Time left
Total loss

What happened to my computer?

Your computer was infected by PencilCry and all your important files like Documents, Photos, Videos, etc were encrypted with a key. Only our decryption service can recover your files.

How do I get my files back?

To obtain your data during the next 72 hours you will have to pay $1 to the bitcoin account below. You can decrypt 2 files for free by pressing F3.

When I make the payment will I have my data back?

Yes, after making the payment click on "Verify Payment" to start the decryption process. It may take some time for the payment to be recognized! Only files with the ".pencilcry" extension will be decrypted, so we do not recommend changing the extension of encrypted files.

If I don't pay what happens to my files?

If you do not pay after 120 hours, we will delete the key from your computer, losing the possibility of recovering your files!'

The Portuguese version of the ransom note is:

'Pencil Decrypt0r v1.0

Ooops, os seus arquivos foram criptografados!

Tempo restatante
Pagemtno

Tempo restatante
Perda total

O que aconteceu ao meu computador?O seu computador foi infetado pelo PencilCry e todos os seus arquivos importantes como
Documentos, Fotos, Videos, etc foram criptografados com uma chave. Apenas o nosso serviço de
descriptografia consegue recuperar os seus ficheiros.
Como faço para obter os meus ficheiros de volta?

Para obter os seus dados durante as proximas 72 horas tera de efetuar o pagamento de $1 para o
conta bitcoin abaixo. Poderá descriptografar gratuitamente 2 ficheiros apertando F3.

Quando efetuar o pagamento irei ter os meus dados de volta?

Sim, após efetuar o pagamento clique em "Verificar Pagamento" para iniciar o processo de
descriptografia. Poderá demorar algum tempo até o pagamento ser reconhecido! Apenas os ficheiros
com a extensão ".pencilcry" serão descriptografados, por isso não recomendamos a alteração da
extensão dos ficheiros criptografados.

Se eu não efetuar o pagamento o que acontece aos meus ficheiros?

Ao não efetuar o pagamento passado 120 horas, iremos eliminar a chave do seu computador,
perdendo a possibilidade de recuperar os seus ficheiros!'