A couple of days ago, the researchers at MalwareHunterTeam discovered a ransomware virus called Popcorn Time. The malicious software shares a common name with an application which downloads and streams copyrighted movies. There is no connection between the two programs.
The analysis of MalwareHunterTeam showed that Popcorn Time ransomware is still in the works. In the early stages of the program’s existence, it exhibits the basic traits of ransomware infections. The virus uses AES-256 encryption algorithm to lock files. The version the researchers discovered only targets a test folder called Efiles which is placed on the desktop. The ransomware appends the suffix .filock to the names of the encrypted objects.
While performing the encryption, Popcorn Time displays a bogus installation screen. The infection poses as the setup wizard of the aforementioned program. Upon completing the encryption, the virus converts two base64 strings and saves them to the hard drive. They serve as ransom notes. Popcorn Time names them restore_your_files.html and restore_your_files.txt.
Popcorn Time is scheduled to do a checkup upon penetrating a computer. It scans the %AppData% directory for two files, called been_here and server_step_one. Their presence indicates that the virus has already completed its tasks. If they are found, the program will terminate its processes. If not, it will commence the encryption.
Another couple of files which indicate the presence of Popcorn Time on the operating system are the installer hash SHA256: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51 and the registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Popcorn_Time” [path_to]\popcorn_time.exe
The discovery MalwareHunterTeam made about Popcorn Time ransomware is both remarkable and appalling at the same time. The virus is the first of its kind to offer victims a reprieve in exchange for collaborating in the scheme. The users who contact Popcorn Time are given the opportunity to earn a free decryption key.
You have to work for the cyber criminals to receive a free key
The developers of Popcorn Time ransomware have thought of an easy way to spread their virus and increase the proceeds. The users whose computers fall victim to the ransomware are given the chance to redeem themselves by becoming accomplices in the scam. They need to assist the hackers in their venture.
The cyber criminals have included a URL in the ransom note which leads to the program. It is hosted on the TOR server. The server is currently down, so there is yet no information on how the host file would be shown.
To end up on the plus side, the hackers require victims to get at least two people to pay the ransom. Upon completing the requirement, the user should receive the free decryption key from the website http://popcorn-time-free.net.
Entering a wrong decryption key 4 times could result in data loss
As we already mentioned, Popcorn Time ransomware in still in its developmental stages. The build which was discovered reveals that an additional function is scheduled to be included to the program.
When started, Popcorn Time displays a lock screen. There are three fields where certain information needs to be entered. The personal unique ID of the victim is to be typed into the field which contains the text [UID]. The bitcoin wallet address of the hackers is to be pasted into the field which lists the text [WADDRESS]. The field where the decryption key needs to be written is blank.
The source code of Popcorn Time ransomware indicates that the renegade developers are planning to add a function for deleting files. The deletion would be prompted only if the victim enters an invalid decryption key 4 times.
As Popcorn Time ransomware is still unfinished, it remains to be seen what the complete build of the program will be like. The initial signs are bad. The cyber criminals try to push the victims to work in their favor. People are given a limited amount of time to consider their options and take action, as the deadline for using a decryption key is 7 days.