View All R&D Articles

Is Popcorn Time Ransomware a New Era for Malware?

December 14, 2016

If you’re looking for ransomware straight out of an episode of “Black Mirror,” meet Popcorn Time.

Popcorn Time is a nasty new ransomware that combines Ponzi schemes, social activism, and blackmail. The malware is still in development, but if it can deliver what it promises, computer users should quickly take notice. Here’s an overview of what Popcorn Time is — and how its devious methodology could mark a major change in malware design and distribution.

What is Popcorn Time Ransomware (And How Does It Work)?

Popcorn Time (which is unrelated to the BitTorrent client of the same name) is a type of crypto-ransomware. It infects a computer, then begins encrypting the computer’s files. The only way to decrypt, and thus have access to, the files is to use a decryption key. The attackers usually demand a ransom for the key, and as is the case with most ransomware, Popcorn Time demands Bitcoin as payment.

Researchers at MalwareHunterTeam reportedly discovered the code for the up-and-coming Popcorn Time on the dark web. Like all crypto-ransomware, Popcorn Time will use impenetrable encryption and a hefty ransom. Unlike other malware, Popcorn Time has several twists that are worthy of a Hollywood script.

The most noteworthy attribute of Popcorn Time is what the developers refer to as “Restoring your files – The Nasty way.” The ransom note states that if a victim forwards a URL and helps infect two other people who pay the ransom, then the original victim will receive the decryption key for free.

Another unique (and possibly false) feature of the malware is its social justice angle. The ransom note includes an explanation of why the attackers are infecting computers for ransom money. The note claims that Syrian computer science students created the ransomware in order to raise money to help victims of the Syrian Civil War.

In addition to explaining their cause, the attackers also include the message-

“We know that we forced you to pay, but be sure that the payment was for a good cause. The money you gave will be used for food, medicine, and shelter to those in need.”

However, because MalwareHunterTeam found the code on the dark web, there is no way to confirm who the developers are and if what they say is true. This could be a way to convince computer users that the ransom is justified and to gain a higher ransom success rate.

The final novel feature of Popcorn Time is that it claims it can delete the encrypted files entirely if a victim enters an incorrect decryption key four times. The part of the code that would execute that action is blank, so it’s unclear if the developers really plan to delete files entirely. It’s also likely that they’d just delete the encryption key, since that would leave the files permanently encrypted and useless.

We’ve seen this “feature” in several other ransomware programs. In some cases, programmers claim to delete files, then fail to follow through. After all, there isn’t really an incentive to delete the files, as this removes justification for the ransom.

To summarize, notable features of Popcorn Time Ransomware include:

  • The ransomware demands a payment of one bitcoin, which is equal to $780 at the time of writing.
  • It gives the additional “nasty way” to receive a free decryption key. Infect two other people that eventually pay, and you don’t have to.
  • The developers claim to be Syrian computer science students who are raising money to help victims of the Syrian Civil War.
  • The ransom note claims that encrypted files will be deleted if a victim enters an incorrect decryption key four times.

That’s what we know so far, but we’ll update this post with additional info if the ransomware is ever officially released and shows up in the wild.

How Does Popcorn Time Ransomware Infect My System?

Because the ransomware is still in development, it is unclear how the developers intend to target the initial victims. Once the malware is spread to a first round of victims, the developers appear to hope that their “nasty way” of receiving the key will be used to propagate Popcorn Time.

Security experts often warn not to click on unknown links because of the risk of downloading malware. If the Popcorn Time developers can convince victims to purposely infect their contacts, this advice will be even more important. Currently, suspicious links from hacked email accounts are fairly easy to spot. But if your contacts are actively trying to fool you into clicking a link, you’ll need to be more diligent to stay safe.

Ransomware Removal

Most crypto-ransomware is extremely difficult (if not impossible) to decrypt without the associated key. For this reason, the best way to ensure access to your files is to prevent infection in the first place. If you regularly update your software and refrain from clicking on suspicious links, you can avoid most ransomware.

Popcorn Time is still in development, and as such, we haven’t seen any real-life cases yet. No computers are infected, so we can’t determine whether the encryption is breakable.

However, even relatively old encryption technologies can be difficult to break without a key. Your best defense is to avoid infection and regularly back up important files to independent media. If you believe that your computer is infected with Popcorn Time or another ransomware program, call today at 1-800-237-4200 to discuss your options.