Popcorn Time ransomware operates a 'referrals program'

by Mark Tyson on 12 December 2016, 12:09

Quick Link: HEXUS.net/qadb5o

Add to My Vault: x

Unfortunately ransomware looks to have been a growing malware trend this past year. HEXUS doesn't follow the computer security scene very closely, as we are more focused upon hardware than software, but we have at least two stories in 2016 with ransomware; the first such malware to hit the Mac arrived in March, then a drive-by ransomware infection was infecting Adobe Flash users in April.

It's probably safe to say most malware writers and distributors have £$£$s in mind. Ransomware infections are very direct in their method of getting cash from victims. The malware will encrypt your documents. Then victims are asked for a payment to provide access to unlock these files. If they don't pay up to decrypt them, then the files will in effect be lost, unless there are some good recent data backups in place. If the malware afflicted user is lucky, one of the security application companies will publish a free de-encryption app targeting the malware that encrypted the files.

Popcorn Time 'refer a friend'

Over the weekend some new Windows malware called 'Popcorn Time' was highlighted by ZDNet. This ransomware innovated with a new kind of 'refer a friend' payment method, alongside the traditional demand for direct payment.

Popcorn Time encrypts your Documents, Pictures, Music and Desktop folders and files with a strong AES-256 encryption algorithm (it will also target files with 'media extensions' located elsewhere). What is an infected user to do? A payment of one bitcoin (approx $780, £618) will provide a key to unlock your files. However, there is a sinister alternative: if you share the malware with at least two other folk, who fall victim to it and 'pay up', then you can have a free decryption key.

There are a couple of other interesting findings regarding Popcorn Time; firstly if a decryption code is entered incorrectly over a certain number of files then they will be permanently locked says ZDNet, secondly the criminals behind the ransom claim to be "extremely sorry" and will be using the money for "food, medicine, and shelter to those in need," in Syria.

According to Bleeping Computer, this Popcorn Time malware is not related to the Popcorn Time app for streaming copyrighted movies.



HEXUS Forums :: 20 Comments

Login with Forum Account

Don't have an account? Register today!
A social engineering based virus like that does not feel like it was made by someone “just fer tuh lulz”. That's far more sinister
Does sound more like a social experiment. How evil.

Still easy fix, spin up two virtual machines.
Dashers
Does sound more like a social experiment. How evil.

Still easy fix, spin up two virtual machines.

How would that fix it? Wouldn't they need payment first?

(However, there is a sinister alternative: if you share the malware with at least two other folk, who fall victim to it and ‘pay up’)

If it happened to me, I assume I could just wipe the entire PC? As there is nothing on my PC that is… something I need to keep. It is purely a gaming PC. Pictures/Videos are all kept on separate PC and Laptop as backup.
Macman
How would that fix it? Wouldn't they need payment first?

If it happened to me, I assume I could just wipe the entire PC? As there is nothing on my PC that is… something I need to keep. It is purely a gaming PC. Pictures/Videos are all kept on separate PC and Laptop as backup.

I believe the insinuation would be that if a VM was infected you'd just delete it and use the other, then spin up a 2nd again.

Indeed, if you have up to date backups then this is just a pain-in-the-back-side. You could simply format the PC and re-install Windows / all your software again, then copy the data back.

I always prefer to have an offline copy of data on a USB drive. As I assume these Malware programmes can easily infect Dropbox / etc if they are used from the desktop.
Dashers
Does sound more like a social experiment. How evil.

Still easy fix, spin up two virtual machines.

It's fairly easy for malware to detect if it's running in a VM environment by looking at the range of memory addresses the malware is running on .