"Refer-a-friend" Ransomware and How It Works.

Posted by Sagiss LLC on Tue, Jan, 17, 2017 @ 11:01 AM


What Is It?

Ransomware has sunk to new all-time-lows with its latest itteration of malware. Dubbed "Popcorn Time," the new ransomware variant informs infected users that they have a week to pay one bitcoin (approximately $834 currently) to have their files decrypted. But there's also a second option.


Users can "refer-a-friend" as substitute victims of the ransomware. In such a scenario, the infected user is able to avoid the payment by directing the malware to a list of other people. Once two people on that list have paid to have thier own files released, the original infected user receives a decryption key. Infection of your "friends" is confirmed via a referral link and once both users have submitted payment, the original user gets their decryption key for free.

Decryptors beware. You will only have four times to enter the key correctly. If by some unforeseeable reason your copy and paste keys decide to stop working after four tries, your files may get deleted. This is a newer ransomware, so it is still in development and is not live, according to Lawrence Abrams at Bleeping Computer.


How Does It Work?

The malware works like this:

  1. Popcorn Time ransomware starts
  2. Popcorn Time checks to see if it has been run before
  3. Checks for files with been_here attached

If the programs finds a been_here file, the ransomware will terminate itself because that computer's files have already been encrypted. If no such file is found, the program will then do one of two things:

  • Download various images and use them as backgrounds, or
  • Start encrypting your files.

The ransomeware currently targets files located in My Documents, My Pictures, My Music and the victims desktop. The encryption process uses AES-256 encryption and appends the encrypted file with the .filock extension. 

Story Telling infectors

The ransomware, which was originally found by MalwareHunter group, also gives victims a unique backstory to its intentions.


Graphic courtesy Bleeping Computer, LLC. Used with permission.

“We are a group of computer science students from Syria, as you probably know Syria is having bad time for the last 5 years,” the hackers explain. “Since 2011 we have more the half million people died and over 5 million refugees.”

The note continues and says that each part of their team has lost a member of their family and that the attacker personally lost both their parents and younger sister in 2015.

Don't worry though. Your hard earned money, however, appears to be all for a good cause....

"Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we forcing you to pay but that's the only way that we can keep living."–Hey, at least they said they were sorry.

Readers should note that this ransomware is not related with the torrent site “Popcorn Time.”

Once this new referral-form of ransomware goes live, it will be interesting to see how the cybersecurity sector handles the black hat community's new sleazeball campaign. Until then, we'll keep our eyes and ears open for the latest news on "Popcorn Time."