Popcorn Time Ransomware
The 'Popcorn Time' Ransomware was reported by security researchers that stumbled upon samples submitted on the Google's VirusTotal. Snippets of code were shared on forums hosted on the TOR-Network and investigators determined that the 'Popcorn Time' Trojan is still under development at the time of writing this. The 'Popcorn Time' Ransomware does not appear to introduce new features regarding file encryption and works similarly to well-known threats such as the Crysis Ransomware and TeslaCrypt. Security experts note that the 'Popcorn Time' Ransomware can be packed easily as a file with a double extension and released with a wave of spam emails sooner rather than later.
A Lock Screen that Says 'Downloading and Installing' Covers the Encryption Process
Samples of the 'Popcorn Time' Ransomware show that its authors may have drawn inspiration from the Fantom Ransomware and the Comrade Circle Ransomware. The 'Popcorn Time' Ransomware is designed to load a fake 'Downloading and Installing' screen, which is associated with the Windows 10 installing updates to the computer. Needless to say, while the fake 'Downloading and Installing' of updates is in progress, your files are being encrypted. The 'Popcorn Time' Ransomware Trojan disables keyboard shortcuts and tools like the Task Manager to simulate an environment similar to when you are installing legitimate updates to the OS. Successful encryption is followed by a lock screen, which includes payment instructions and offers the following notification at the top:
We are sorry to say that your computer and your files have been encrypted but wait. don't worry. There is a way that you can restore your computer and all of your files
[countdown timer starting from 7 days]
When countdown ends your files will be lost forever
You must send at least [Bitcoin amount] Bitcoin to our wallet and you will get your files back
Your personal unique ID: Send [Bitcoin amount] BTC to this address:
[34 random characters]'
Users may be Suggested that Paying the Ransom would Provide Food and Shelter to Poor Citizens in Syria
Underneath the notification, the user is provided with a scrollable window that has a rather interesting content offering payment instructions. Payment can be provided in two forms, which include Bitcoins and infecting the machines of your friends and family.
'Restoring your files - The fast and easy way
To get your files fast, please transfer 1.0 Bitcoin to our wallet address [34 random characters]. When we will get the money, we will immediately give you your private decryption key. Payment should be confirmed in about 2 hours after payment made.
Restoring your files - The nasty way
Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free.
What we did?
We had encrypted all of your important images, documents, videos and all other files on your computer. We used a very strong encryption algorithm that used by all governments all over the world (Encryption -Wikipedia). We store your personal decryption code to your files on our servers and we are the only ones that can decrypt your files. Please don't try to be smart, anything other than payment will cause damage to your files and the files will be lost forever!!!
If you will not pay for the next 7 days, the decryption key will be deleted and your files will be lost forever.
Why we do that?
We are a group of computer science students from Syria, as you probably know Syria is having bad time for the last 5 years. Since 2011 we have more the half million people died and over 5 million refugees. Each part of our team has lost a dear member from his family. I personally have lost both my parents and my lithe sister in 2015. The sad part of this war is that all the parts keep fighting but eventually we the poor and simple people suffer and watching our family and friends die each day. The world remained silent and no one helping us so we decided to take an action. (Syria War in Wikipedia)
Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we forcing you to pay but that's the only way that we can keep living.'
Apparently, the makers of the 'Popcorn Time' Ransomware may be willing to provide a free decryptor to users who are prepared to spread the threat to their friends. Do not believe that paying the ransom would help poor people in Syria have shelter and food. There is no evidence that your money is used to fund such a noble cause. The claims laid in the notification above are aimed to lure users into paying the ransom. Variants of the 'Popcorn Time' Ransomware appear to ask for a payment amounting between 0.5 Bitcoin and 1 Bitcoin, which corresponds to 385 USD and 770 USD. Security experts remind that users can counter threats like the 'Popcorn Time' Ransomware quite easily. Your best defense against the 'Popcorn Time' Ransomware is to have backups stored on unmapped drives that include cloud services like Google Drive and Dropbox. You will need a reputable anti-malware utility to eliminate the 'Popcorn Time' Ransomware and secure a clean slate to restore your data.