New ransomware trick: infect your friends to recover encrypted files

Cyber criminals seem to be running out of ideas how to convince victims to pay ransoms. They’ve got so desperate that they are trying to involve victims in the distribution of the ransomware viruses. Recently, a new ransomware has been discovered, which is known as Popcorn Time virus[1]. This example of a ransom-demanding virus provides victims an unusual and nasty opportunity to “earn” the key required for data recovery. Popcorn Time virus offers two data recovery options – the victim can restore files “the fast and easy way” by paying 1 Bitcoin (which is more or less $772), or go the “nasty way” and contribute to virus’ proliferation. Victims can spread the virus using a particular URL and hope that victims who install it will pay the ransom. The ransomware says that in order to get the free decryption key, the victim needs to infect two people who will be willing to pay a ransom[2].

Popcorn Time ransomware suggests infecting other people to recover files

At the moment, the virus is in-development and is capable of encrypting files stored in My Documents, My Pictures, Desktop, and My Music folders. To encode data, ransomware uses AES-256 encryption[3]. Every encrypted file gets either .filock or .kok extension. Once files are locked, the ransomware creates ransom notes called restore_your_files.html and restore_your_files.txt and saves them to every folder that contains some encrypted data. The HTML file is automatically launched via default web browser. What is interesting is that the ransomware authors pretend to be good people.[4] Cyber criminals justify themselves by saying that they are a group of computer science students from Syria who are trying to collect money for food, medicine, and shelter to people due to war-related violence. It is a trick to evoke victim’s compassion and force him/her to pay the ransom. The ransom note urges to pay the ransom as soon as possible – ideally, within seven days, because according to cyber criminals, the decryption key gets destroyed after seven days and then the victim loses all chances to recover them. What is more, there were signs in ransomware’s source code that indicate its authors’ intentions to delete victim’s files in case he/she enters a wrong decryption key four times.

You must know that spreading ransomware is a criminal activity, despite the fact that you have become a victim yourself. Besides, your friends might be more aware of ransomware or simply have their computers protected with anti-malware or antivirus, and we doubt that you want to put yourself in a traitor’s position. Finally, your pals might refuse to pay the ransom as well, or even if they do, criminals might not be willing to provide you with the decryption key. Therefore, you should leave everything as it is and rush to remove PopcornTime virus. To recover lost files, use a backup.[5]

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions