'Popcorn time' ransomware offers amnesty to collaborators

News by Max Metzger

A recently discovered strain of ransomware is letting its victims off the hook, as long as they find more victims to infect.

A new piece of ransomware offers its victims amnesty in exchange for passing the infection on. Popcorn Time, first reported by security researcher Lawrence Abrams, offers its unfortunate victims the opportunity to miss out on infection as long as they refer two more possible victims. If those subsequent victims pay up, then the original is offered a decryption key, allowing them to unlock all their files from the grasp of AES-256 encryption.  

A message sent to victims reads, “We are sorry to say that your computer and your files have been encrypted, but wait, don't worry. There is a way you can restore your computer and all of your files… Send the link below to other people, if two or more people will install the file and pay, we will decrypt your files for free.”

The disclosing message also includes an array of information on what Popcorn times does, how to pay and even what bitcoin is. It also offers an explanation of why the ransomers are using Popcorn Time.

The ransomers claim to be a group of Syrian computer science students, all of whom have lost family members as a result of the bitter civil war now raging in the country.

The group cites international inaction as the reason for their ransomware campaign: “the sad part of this war is that all parts keep fighting but eventually we the poor and simple people suffer and watch our family and friends die each day. The world remained silent and non helping us so we decided to take action.”

Victims are given a week to either pay up or pass the infection on, if no payment is received in seven days then the decryption key will apparently be deleted.

According to Abrams, Popcorn time's code is incomplete so it is not quite clear how exactly it will work or be delivered. It is suspected, however, that if a victim enters the wrong decryption key more than four times, Popcorn time will delete files.

The ransomware industry has become so professionalised that some services even offer customer support and rewards for prompt payment. David Emm, principal security researcher at Kaspersky Lab told SC Media UK that this kind of innovation is to be expected: “Cyber-criminals are always looking for an ‘angle', i.e. something that might increase the likelihood that they will get a return on their investment.”

This innovation is particularly vicious, added Emm: “Taking either option simply validates the cyber-criminals' business model and fuels further ransomware development. In addition, the second option requires you to extend the misery of ransomware to others.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews