Popcorn Time is based on the open-source “educational” ransomware Hidden Tear. This ransomware demonstrates the same techniques as most others (disguised as a legit app, encrypts files, demands ransom) but it reminds us that malware writers will continue to find unique ways to stand out.
It is not uncommon for malware authors to continuously update their code to infect as many victims as possible. The low rate of samples and with no funds coming in may explain why we continue to see updated versions of the ransomware. Also, the Bitcoin address associated with Popcorn Time shows that no one has paid the ransom. We have seen a very small discovery rate, with detections in North America, Western Europe, and Eastern Europe. Malware writers pretending to claim their actions are beneficial is nothing new in the world of ransomware.Īt the time of this writing, the ransomware does not appear to be spreading as quickly as prominent ransomware such as Locky or Cerber. The ransomware also attempts an emotional appeal by claiming all monies collected will go to food, medicine, and shelter for people living in Syria. The first sample discovered targeted only a test folder on the Windows desktop but current samples show the ransomware will encrypt files located in My Documents, My Pictures, My Music, as well as on the desktop.
The malicious software pretends to be a legitimate copy of the real Popcorn Time. Details in the unfinished code also shows the ransomware will start deleting random files if a user enters the wrong decryption key four times. It seems like a crude way to spread ransomware but malware writers will do anything to stand out from the countless number of variants we see every day. This is the first time we have seen a threat actor give the victim an option to gain access to the decryption keys.
The ransom note gives the victim seven days to choose either option or the files will be lost forever.
“Popcorn Time” is a legitimate application for streaming movies and series. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. In early December the new ransomware “Popcorn Time” was discovered.