Popcorn Time Ransomware Offers Victims A Criminal Choice

Ransomware authors are constantly developing new ways to spread their malicious software and pull in more ransom payments; however, Popcorn Time ransomware – a new ransomware variant recently discovered by researchers at MalwareHunterTeam – uses tactics never before seen.

Popcorn Time ransomware gives victims a choice: Pay the ransom and regain access to their encrypted files or obtain the decryption key for free. The catch? They need to spread the ransomware and infect at least two further computers, thus giving the attackers a twofer deal. Two ransom payments instead of one.

Of course, there is no guarantee that spreading the ransomware infection to other users will see the attackers make good on their offer. The victim’s files may remain locked and the attackers would potentially get three ransom payments rather than one.

Any victim that spreads the ransomware to avoid paying a file will be committing a crime. Victims may avoid paying the 1 Bitcoin ransom payment – around 780 dollars – but should their actions be found out by law enforcement there may be far worse penalties.

Another twist with Popcorn Time ransomware is victims may be punished for entering an incorrect decryption key. The code for deleting files is not included in the version captured by MalwareHunterTeam, although victims will be shown messages indicating files will be deleted if they continue to try to guess the decryption key. After four wrong attempts the attackers may delete all of the encrypted files. Permanently. Whether the code will be added when the ransomware is finished remains to be seen.

Popcorn Time ransomware encrypts files saved to the My Documents folder, My Pictures, My Music, and Desktop folders and locks them using AES-256 encryption. Victims are given 7 days from the date of infection to make their choice.

Given the folders and files that are encrypted, the ransomware variant appears to have been developed to target individuals rather than companies. However, the ransomware is still under development and further file locations may be added to later versions.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news