It’s Popcorn Time! The Latest Ransomware Pop

Marcus Jensen
Marcus Jensen
Ransomware Pop

Not to be confused with the popular video streaming program, Popcorn Time is a new ransomware that was discovered by the MalwareHunterTeam earlier this month.

The ransomware is pretty sneaky because it gives you the choice of getting a free decryption key if you infect two other people.

The ransom for your computer data is the price of one bitcoin ($780), and the key to decrypting your data will be sent to you, but only if the people you have infected pay up.

For those who don’t know, ransomware is a type of malware that holds your computer data hostage until you pay up in exchange for a decryption key.

However, this version of ransomware wants you to sell out your friends instead of cashing in, making the “malware game” become more pernicious.

If a user enters the wrong 4 digits to complete the unfinished code for decryption, the ransomware will automatically start deleting files.

How does it Encrypt a Computer?

Popcorn Time targets folders such as My Music, My Pictures, My Documents, and Efiles – a test folder on the desktop.

The malware searches for files that match specific extensions and then scramble them using AES-256 encryption.

Encrypted files then get the .filock extension (for example, a file called photo.jpg would be encrypted as photo.jpg.filock).

When the computer encryption is finished, two base64 strings are converted and saved, and ransom notes called restore_your_files.txt and restore_your_files.html, automatically display the HTML ransom note.

Once a computer gets encrypted, the victim is given a “referral” URL link that points to the malware’s Tor server.

If the victim chooses to infect others, he or she must forward the URL to two other victims. When other systems get infected with that link, a decryption key is sent to the initial victim.

The ransomware is still in development and users have been warned to close attention and not click on unfamiliar links, even if they come from people they know.

Also, having backups of data on a separate drive is strongly advisable. If you want to visit an unsecured website, using a sort of remote machine (desktop) and remote access software is the best solution.

The Bad Guys are Innovating

Chief of security strategy at SentinelOne (a cybersecurity defense firm), Jeremiah Grossman, says: “No one really knows if the mechanism is going to have any meaningful impact. You infect someone and you try to get them to infect other people. That’s a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”

Nevertheless, MalwareHunter guys say that you don’t see this kind of system every day, and that is unique. Still, they point out the positive sides of it by claiming that “There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. It is still not perfect, but it’s getting better.”

Attack Frequency

According to a report from Kaspersky, over the last 12 months, there has been a significant increase in ransomware attacks.

The attack rate for individuals increased from one attack every 20 seconds to every 10 seconds, while for businesses it increased from one every 2 minutes to one every 40 seconds. About 42% of small-to-medium businesses failed victim to ransomware attacks over the last year, suffering the hardest hits.

We Can Only Wait

What remains to be seen is how wide the ransomware spreads. Being a work-in-progress, even if it doesn’t make a viral hit, its successes and failures can be studied by other hackers to make more effective variations.

Most law enforcement organizations advise not paying the ransoms, supporting their stance by claiming that it funds further criminal endeavors. On the other hand, some security researchers argue that individual victims should not sacrifice their personal data for the sake of fighting crime at large.

The authors of Popcorn Time claim the money received will be used to provide necessary resources (food and shelter) for Syrian refugees.

Share this Article
Leave a comment

Leave a Reply