Sagiss | Managed Services Blog

"Refer-a-friend" ransomware and how it works.

Posted by Sagiss LLC on Tue, Jan, 17, 2017 @ 11:01 AM



Get that popcorn ready, because there's a new horror flick in town. Well, you can't watch it, but it will leave you feeling a little fearful.

What is it?

Ransomware has sunk to new all-time-lows with its latest itteration of malware. Dubbed "Popcorn Time," the new ransomware variant informs infected users that they have a week to pay one bitcoin (approximately $834 currently) to have their files decrypted. But there's also a second option.


Graphic courtesy Bleeping Computer, LLC. Used with permission.


Users can "refer-a-friend." It's just like how you image friend referrals, but with a twist. In fact, two other users must be infected and pay the bitcoin to avoid payment. Infection of your "friends" is confirmed via a referral link and once both users have submitted payment, the original user gets their decryption key for free.

Decryptors beware. You will only have four times to enter the key correctly. If by some unforeseeable reason your copy and paste keys decide to stop working after four tries, your files may get deleted. This is a newer ransomware, so it is still in development and is not live, according to Lawrence Abrams at Bleeping Computer.


How it works

  • Popcorn Time ransomware starts
  • Popcorn Time checks to see if it has been run before
  • Checks for files with been_here attached

If it finds a been_here file, the ransomware will terminate itself because the files are already encrypted. If it doesn't find any, then the program will do one of two things:

  • Download various images and use them as backgrounds, or
  • Start encrypting your files.

The ransomeware currently targets files located in My Documents, My Pictures, My Music and the victims desktop. The encryption process uses AES-256 encryption and appends the encrypted file with the .filock extension.

Here are the known file extensions Popcorn Time encrypts:


Graphic courtesy Bleeping Computer, LLC. Used with permission.


Story telling infectors

The ransomware, which was originally found by MalwareHunter group, also gives victims a unique backstory to its intentions.


Graphic courtesy Bleeping Computer, LLC. Used with permission.


“We are a group of computer science students from Syria, as you probably know Syria is having bad time for the last 5 years,” the hackers explain. “Since 2011 we have more the half million people died and over 5 million refugees.”

The note continues and says that each part of their team has lost a member of their family and that the attacker personally lost both their parents and younger sister in 2015.

Don't worry though. Your hard earned money, however, appears to be all for a good cause....

"Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we forcing you to pay but that's the only way that we can keep living."–Hey, at least they said they were sorry.

Readers should note that this ransomware is not related with the torrent site “Popcorn Time.”

Once this new referral-form of ransomware goes live, it will be interesting to see how the cybersecurity sector handles the black hat community's new sleazeball campaign. Until then, we'll keep our eyes and ears open for the latest news on "Popcorn Time."