The malware is called Popcorn Time after the entirely unrelated piracy app. It was discovered by the MalwareHunterTeam research group and has a unique characteristic that differentiates it from other ransomware. Popcorn Time appears to be the first “social” malware, encouraging its victims to infect other people.
Initially, Popcorn Time acts like any other ransomware. Once installed on a computer, typically via an email or a compromised website, it encrypts the hard drive and leaves you unable to access your files. You then have to pay a ransom fee to recover your data.
Popcorn Time is different as it gives you a chance to avoid paying up. If you don’t have the cash available, you can participate in a “pyramid scheme” and refer your infection to someone else. The app allows you to share a link to the Popcorn Time download with your friends. If two of them click on it, become infected and then pay up, your own files will be decrypted for free.
This is believed to be the first time malware’s been observed to offer different marketing levels. Cybercriminals have been developing new infection techniques in recent years, particularly when ransomware is the main attack vector. By actively encouraging people to pass the infection onto others, the creators can accelerate its spread across the Internet.
Cybersecurity experts are uncertain whether the tactic will be successful. With no previous history of similar campaigns, it’s difficult to predict whether Popcorn Time’s strategy will lead to an overall increase in infections.
“No one really knows if the mechanism is going to have any meaningful impact,” Jeremiah Grossman, chief of security strategy at cybersecurity defence firm SentinelOne, said to WIRED. “You infect someone and you try to get them to infect other people. That’s a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”
Popcorn Time is still in development and its source code hints that further changes are planned. Its creator seems to be preparing a new “feature” that will delete all your files if you enter an incorrect decryption key more than four times. The program is already available in the wild though so it poses a credible threat today.
Security researchers generally advise you don’t pay the ransoms demanded by cybercriminals. There’s no guarantee a functioning decryption key will be issued, potentially leaving you out of pocket and aiding criminal activities. While there’s no easy way to recover from a ransomware technique, there are groups that can provide assistance in recovering files.
