I wrote this article to help you remove Popcorn Time Ransomware. This Popcorn Time Ransomware removal guide works for all Windows versions.

Popcorn Time ransomware is a type of virus which targets files. This kind of infection is also called a win-locker. Popcorn Time ransomware will encrypt most of your personal files, including your text documents, photos, audios, videos, databases, archives, and presentations. The insidious program will demand a ransom to unlock them. The cyber criminals behind the win-locker give victims two options. They can either pay the ransom or spread the virus to at least two other people. Either choice is both humiliating and degrading. If you would rather not stoop so low, you can instead delete the win-locker and try to recover your data on your own.

Popcorn Time ransomware uses AES-256 encryption algorithm to render files inaccessible. It targets 525 formats in total. At first, a demo version of the infection was released. It would only encrypt files from a test folder called Efiles. The win-locker would create this folder by itself and place it on the desktop. After a while, the full version of Popcorn Time ransomware was launched. It targets objects from the desktop and the folders My Documents, My Pictures, and My Music. There are two variants of the win-locker which only differ by the choice of a custom extension for the encrypted files. The first version adds the suffix .filock, while the second uses the appendix .kok.

During the encryption process, Popcorn Time ransomware displays a fake installation screen. After it has completed the encryption, the win-locker converts two base64 strings and saves them as files in .html and .txt format. These objects are used as ransom notes. The nefarious programs titles both of them restore_your_files. The .html note is opened automatically. The message explains everything in detail. It informs victims that their files have been encrypted and states why. There are instructions on how to pay the ransom and how to notify the developers of Popcorn Time ransomware that you have completed the payment. The note goes on to elaborate what will happen after you pay the sum and explains what you need to do to perform the decryption.

The owners of Popcorn Time ransomware demand a ransom payment of 1.0 bitcoin. This corresponds to $994.86 USD, according to the current exchange rate. Victims have a limited amount of time to make the payment. The renegade developers store the private decryption key on a remote server. It is set to be deleted in 7 days. If you fail to make the payment on time, you would not be able to obtain it. There is a countdown clock in the .html ransom note which measures the time left before the deletion. This is a clever addition to the message, as it keeps the victim anxious. The creators of Popcorn Time ransomware have chosen bitcoins as the payment method for a reason. The platforms which trade this cryptocurrency protect the anonymity of the parties involved. The recipients cannot be tracked down.

Popcorn Time ransomware has a few unique characteristics. To begin with, the developers of the rogue program introduce themselves as students from Syria. They claim that the proceeds from the ransom payments would be used for humanitarian causes. Of course, there is no way to confirm this. Keep in mind that it is not above cyber criminals to make false claims. Another interesting note about Popcorn Time ransomware is that the developers of the program have included a security function. If the user enters an incorrect decryption code four times, the win-locker will delete the encrypted files. The final specification about Popcorn Time ransomware was already noted. The sinister program gives victims the chance to redeem their PC by spreading the infection to at least two other people.

If a victim tries to save his own system by transferring the virus to you, he will probably do what the attackers do when spreading the virus. Popcorn Time ransomware is distributed through spam email campaigns. To protect your machine from the shady program, you need to stay alert about suspicious messages. Excluding the potential letters from victims, we can give examples about the official spam campaigns which distribute the win-locker. The fake message will talk about an important matter to acquire your attention. It can say that you have a delivery package to claim, writing on behalf of the national post or a courier firm. The sender can state that you need to make a settlement which involves a financial transaction, like paying a bill or a fine. The notification can be on behalf of a government branch, a bank, or the local police department. To check whether a given email is legitimate, proof the sender’s contacts. They should match the coordinates of the organization he claims to be representing.

Popcorn Time Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Popcorn Time Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Popcorn Time Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete