Popcorn Time is a strain of ransomware that asks victims to infect others.
A new strain of ransomware, not content with being as nefarious as the rest, has upped the ante. Instead of paying a bitcoin ransom to un-infect your computer and files, you can free yourself by ensnaring others.
The ransomware is named Popcorn Time, and it offers a new and novel way to have your files decrypted. Named “The Nasty Way,” by its authors, it involves infecting two other people with the ransomware using a referral link. Yes, a referral link, like the ones offered by shopping sites that promise you a small kickback if your friend makes a purchase. But in this case, you probably won’t be keeping that friend.
If you can infect two other computers with your referral link, AND they both pay the bitcoin ransom to free their computers, you will be sent a decryption key. Infecting two other users who are also willing to pay seems difficult, but desperate users may give it a shot, doing more damage in an attempt to save themselves.
Lawrence Abrams, founder of BleepingComputer.com, told Threat Post, “I have never seen anything like this in ransomware. This is definitely a first.”
Abrams also noted that intentionally infecting another computer is a criminal offense.
If you can’t find anyone to infect – or realize that it’s a horrible and illegal thing to do – you can still un-infect yourself with a traditional bitcoin ransom. The examples seen so far have demanded one bitcoin, worth approximately $775.
Recently, ransomware, and malware in general, has been taking advantage of social engineering, the practice of manipulating people into performing an action (opening a malicious file) or providing confidential information (like passwords). We could also call this ‘conning.’
One of the most popular tactics is to disguise the ransomware as an unpaid invoice or bill. Social engineering techniques take advantage of our perceptions and biases – for instance, a business may be more likely to open a purchase order they don’t recognize, hoping to have made a sale; while an individual may be more concerned about an overdue bill.
With the ever-increasing number of strains and distributors, ransomware has to be as innovative as a Silicon Valley start-up. Maybe this new ‘hostage exchange’ method is the next hot trend for hackers.
Popcorn Time was originally discovered by MalwareHunterTeam.
The other interesting component of this story is where this Ransomware strain originated. We just alluded to the fact that ransomware has to be as innovative as a Silicon Valley start up, but Popcorn Time’s point of origin couldn’t be farther from Silicon Valley.
This ransomware originated in Syria. Per its creators:
“We are a group of computer science students from Syria, as you probably know Syria is having [sic] bad time for the last 5 years. Since 2011 we have more the half million people died and over 5 million refugees. Each part of our team has lost a dear member from his family. I personally have lost both my parents and my little sister in 2015. The sad part of this war is that all the parts keep fighting but eventually we the poor and simple people suffer and watching out family and friends die each day. The world remained silent and no one helping us so we decided to take an action.”
The creators’ message continues to say:
“Be perfectly sure that all the money that we get goes to food, medicine, shelter [sic] to our people. We are extremely sorry that we forcing you to pay but that’s the only way that we can keep living.”
When viewed through this lens, the ransomware strain becomes a tragic cry for help from an extremely imperiled part of the world. Without editorializing too much, it’s heartbreaking to think what these students’ technological savvy and brainpower could have been applied to were they living in better circumstances. Instead, they have (due to circumstances beyond their control) created a terrifyingly innovative piece of malware unlike anything we’ve seen before.