New Popcorn Time Ransomware Turns Victims into Attackers

Posted by Geraldine Hunt on Wed, Jan 25th, 2017

A new ransomware variant called ‘Popcorn Time’ has been discovered. It uses an inventive approach to increase infections: the malware turns victims into attackers by offering a pyramid scheme type  discount. Popcorn Time malware deletes your files unless you infect your friends or pay a ransom. Like all of its ransomware predecessors, it is designed to encrypt your files so that they are inaccessible.  Once infected, the owner of the files is alerted of the encrypted status of his or her files and told to pay a ransom in order to obtain the decryption key.  Popcorn Time uses AES-s56 encryption and targets more than 500 different file types that reside in the computer owner’s library. These files include My Document, My Pictures, My Music, etc.

Payment Options!

The current ransom for Popcorn stuTime is a single Bitcoin, which currently translates to around $780. A ransom note that is stored in two files, restore_your_files.html and restore_your_files.txt, alerts the victim that they have seven days to pay the ransom.  The note includes the personal ID assigned to the computer in order for payment credit and a link to send the required funds.  This type of extortion announcement is common to all ransomware attacks.  This payment process is referred in the ransom note as “The Fast and Easy Way.”  In other words, pay the fee to decrypt your files and get on with your life.

Popcorn Time – Turning victims into attackers

What makes Popcorn Time unique from its predecessors is that the ransom note includes a second method to which one can retrieve the decryption key.  Popcorn Time malware offers users free removal if they get two other people to install link and pay. Referred to as “The Nasty Way,” the note reads:

“Send the link below to other people.  If two or more people will install this file and pay, we will decrypt your files for free.”

The concept is much like the chain emails that were common years ago in which a receiver was encouraged to forward an email to a set number of people in order to avoid bad luck. We will never know just how many people actually took the time to forward those emails but is anyone that unscrupulous to knowingly infect people they know? If one puts aside the ethics of all of this, the idea of encouraging people to infect others that they know could prove a far more effective way to deliver malware.  Most people have received some type of email from someone whose email account was compromised by a spammer.  These instances are easy to identify in that one receives an email addressed to a long list of recipients that usually includes one line that says something like, “I think you might find this interesting”, followed by a link which in turn downloads the malware and infects the computer.  

Turning Victims Against Their Associates

Now imagine receiving an email from a “friend of yours” (maybe not a friend for long however) in which they write a couple of paragraphs about their latest vacation, or a short paragraph on a hot new restaurant they discovered last weekend.   The narrative would then be followed by a link.  The personalization of these emails would greatly induce one to click the link.  Anyone who does choose to forward the link is in fact committing a crime just as serious as the cybercriminal that sent the original email.

Like any form of ransomware, there is no guarantee that one will ever receive the decryption key once the ransom is paid which is why many cybersecurity professionals recommend not paying it.  In the case of forwarding the ransomware to others, who’s to say that people down the line will pay?  What if they prove just as unscrupulous as the person who forwarded it to them and they choose option #2?  The more concerning question becomes what if your colleagues do become infected?  Who’s to say that the cybercriminal does not come back and demand a ransom in exchange for not calling you out publicly?  

Another more subtle new attribute of this ransomware strain is that the malware will delete all of your files if the wrong decryption code is typed into the input field 4 times.  It is not uncommon for ransomware strains to delete files.
Like all ransomware, a good backup is the antidote to circumvent the damaging effects of encrypting your files.  Unfortunately, many people do not take the need to back up their files seriously, which is why even though the money is not as big, personal users will continue to be targeted victims of ransomware. A recent report from Kaspersky suggests ransomware attacks have significantly increased over the last 12 months. SMBs were hardest hit, with 42% of them falling victim to a ransomware attack over the past 12 months.

How to beat Ransomware

Although the threats in the previous section sound scary, there are simple steps you can take to avoid and defeat them. The best way to avoid ransomware is to use common sense;

• Don't open email attachments from senders you don't recognise,
• Avoid clicking links you can’t verify are safe
• Install network security software that can prevent an infection from encrypting files on your PC
• Updates - Make sure that all your software is up to date, hackers use these vulnerabilities to attack your PC
• If you receive a document from an unknown source, don't open it
• If you receive an email from an unknown source don’t open it or click any URL in it
• Crucially, make sure you regularly back up all your company data to the cloud or another drive not connected to your network
• The best advice is to follow the 3-2-1 rule

3-2-1 backup method

In order to ensure dependable worry-free backups, you need redundancy which is what the traditional 3-2-1 Backup is all about.  The topology design of the 3-2-1 backup is as follows:
•    Have at least 3 copies of your data
•    Utilize two different media formats
•    Have one of the copies be offsite

Three copies of your data means that one copy is the original data supported by two separate backup copies.  Your data should reside on two separate mediums. It can also be traditional tape media that seems so legacy today, but is mobile enough to take offsite to a secure location such as a separate site used by your organization or even a safety deposit box at a local bank.  A possible solution which satisfies both conditions of two media types and a remote location is utilizing the snapshotting feature of your SAN infrastructure. Of course it goes without saying that any backup plan includes regular test restorations of the data to ensure that your data can be recovered intact. 

Ransomware is maturing as a form of malware and thus may evolve into new forms that can expand beyond direct physical connections.  The one certainty of ransomware however, is that maintaining a well-designed working backup solution will serve as an effective measure against the lasting effects of ransomware, no matter how it may evolve one day. 

As already mentioned, Popcorn Time ransomware is currently in development, so many things may change over time.  As this ransomware develops, we will release new information.

As usual, your best defence is to prevent infection in first place, check out these 11 things to do to decrease chances of a malware infection. If you're an IT Pro with questions about ransomware or other dangerous malware threats. Talk to a specialist or Email us at info@titanhq.com with any questions.