Popcorn Time malware discovered in early December in 2016 by the Malware Hunter Team, Popcorn Time works just like any other ransomware would today. First, it encrypts and locks away the victim’s files and data upon infecting the device. After that, it flashes a message on the infected screen to prompt the victim to pay the ransom. A form that the victim can use to pay up as well as a timer is then shown. There is the latest addition to the Ransomware trend! The malware hunter team has detected a new Ransomware, which leaves the victims in a dilemma between paying the ransom amount to the cyber-crook and infecting two additional systems. The Ransomware dubbed Popcorn time scans victims system and encrypts numerous file extensions including picture, document and music files.

Popcorn Time malware gives victims seven days to pay a ransom before deleting his or her files. When the ransomware is downloaded, it will show a fake loading screen as it encrypts a user’s files making them inaccessible. Popcorn Time has been updated to encrypt files on a user’s My Desktop, My Pictures, and My Music folders, according to cybersecurity site BleepingComputer.com.

Once the files are encrypted, a new screen showing a countdown and a ransom message will appear. Users can either pay 1 bitcoin to the provided Bitcoin address or infect two of their friends, and have them pay the fee instead. Once the user pays the ransom, they will get a decrypt code; you have four tries to type in the decrypted code before your files are deleted.

The malware ripped off the name of the torrenting site Popcorn Time. The original Popcorn Time was shut down after a copyright infringement suit brought by the Motion Pictures Association of America followed by a series of DNS attacks. Since then, however, Popcorn Time variants have appeared under multiple domain names.

The code for the streaming site is also available on the coding platform Github. A new web version called Popcorn Time Online has since launched, which allows you to stream Torrents directly from the browser instead of having to download an app

The ransom screen that appears on Popcorn Time includes some backstory on the creators. They purport to be a group of computer science students from war-torn Syria, in desperate need of cash. The message says the money will go towards supplies for the affected families.

“Be perfectly sure that the money we get goes toward food, medicine, and shelter to our people. We are extremely sorry we are forcing you to pay but that’s the only way we can go on living.

Specifically, the malware will give you a link to send to two of your friends, and if they both get infected and pay the ransom, the program will decrypt your files for free. At least it says it will. As with all things ransom-related, there are no guarantees.

Needless to say, infecting your friends with malware to save yourself is highly unethical, and also probably illegal. If you do get infected with Popcorn Time or any other ransomware, your best bet is to contact trained security professionals. Better yet, make sure to back up your files and keep them on a hard drive that’s not connected to your main computer. That, and don’t download sketchy pirate software.

What is Popcorn Time Ransomware?

The Ransomware shares the name of a bit torrent client, which allowed users to download and stream films. This has been intentionally done to trick users into installing it, by posing as setup wizard for legitimate software. It should be remembered that original Popcorn Time was shut down due to a series of DDOS attacks, moreover, reports were stating that Popcorn Time variants (the bit-torrent client) have re-appeared under multiple domain names.

How does it work?

Once executed, it will first check whether Ransomware is running by checking the files in Application Data or App Data. Any software installed in Windows operating system installs its folder in AppData and stores information there. If the file is already present, then the Ransomware will terminate itself.

Otherwise, the Ransomware will initiate the encryption of files. Popcorn Time Ransomware uses AES encryption, which encrypts xlsm, .syncdb, .pptm, .doc and .mdbackup files. To every encrypted extension, .filock is added. After successful encryption is carried out, it displays a note encouraging victims to pay a ransom of one Bitcoin, which can be paid within a week.

What makes it peculiar?

The victims need to promote this link to any two people so that that their systems are infected. The malicious link will download the Ransomware onto their system. If at least two of these other people pay the ransom, the files are decrypted free of charge.

How to Prevent?

  1. Make use of eScan products, which combat the threat of Ransomware with its PBAE Technology.
  2. Always download apps from their official website or Google Play Store instead of unknown sources because many apps store an is still offering the app.
  3. Download applications of a reliable app developer and check the user ratings and reviews of the apps before download.
  4. Ensure that all the software installed on your system is updated frequently, including Oracle Java and Adobe.
  5. Implement a three-dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  6. Make sure you either implement MailScan at the gateway level or enable Mail Anti-virus on the endpoint to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
  7. Open emails only if you are positive about the source.
  8. Regularly create a backup of your important files.