Ransomware

Is Popcorn Time Ransomware Getting Merciful or Its Just a Hoax?

Despite there have been countless Ransomware strains with endless attacks, Ransomware authors seems to have planned to scare users with newer tactics.

We have already received Ransomware strains that would delete files if ransom isn’t paid in the prescribed time limit. Further, there are variants that locks user’s data by changing the file name, making decryption even harder. However this time, Ransomware authors decided to ensure easy flow of Popcorn Time Ransomware to reduce their effort. Or we should say, they’ve decided to be a little merciful towards victims.

Recently, another Ransomware strain called Popcorn Time was discovered by MalwareHunterTeam. The variant has an unusual way to extort money from users. If a victim successfully passes over the strain to two other users, he’d get a free decryption key. Perhaps, the victim will have to pay if he is unable to pass it over. To make it even worse, there is an unfinished code in the ransomware which might delete files if the user enters wrong decryption key 4 times.

What’s fishy about Popcorn Time Ransomware

The strain has a referral link which is kept to transmit it to other users. The original victim gets the decryption key when the further two have paid ransom. But, if they don’t then the primary victim has to make the payment. Bleeping Computer quotes, “To facilitate this, the Popcorn Time ransom note will contain a URL that points to a file located on the ransomware’s TOR server. At this time the server is down, so it is unsure how this file will appear or be disguised in order to trick people to install it.”

Further, another feature may be added to the variant that would delete files if user happens to put up incorrect decryption key 4 times. Apparently, the Ransomware is still in development stage and so it’s unknown if this tactic already exists in it or it’s just a hoax.

Popcorn Time Ransomware’s workings

Once the Ransomware is successfully installed, it checks if the ransomware has already been run via several files such as %AppData%\been_here and %AppData%\server_step_one. If the system already has been infected with the Ransomware, then the strain terminates itself. Popcorn Time understands this if the system has ‘been_here’ file. If no such file exits in a computer, the ransomware goes on to spread the viciousness. It downloads various images to use as backgrounds or start the encryption process.

Since Popcorn Time is still in its developing stage, it only encrypts a test folder called Efiles. This folder exists on the desktop of users’ and contain various files such as .back, .backup, .ach, etc. (entire list of file extensions is given below).


.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .aaf, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aep, .aepx, .aes, .aet, .agdl, .ai, .aif, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arch00, .arw, .as, .as3, .asf, .asm, .asp, .aspx, .asset, .asx, .atr, .avi, .awg, .back, .backup, .backupdb, .bak, .bar, .bay, .bc6, .bc7, .bdb, .bgt, .big, .bik, .bin, .bkf, .bkp, .blend, .blob, .bmd, .bmp, .bpw, .bsa, .c, .cas, .cdc, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfr, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .dar, .das, .dat, .dazip, .db, .db0, .db3, .dba, .dbf, .dbx, .db_journal, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .desc, .design, .dgc, .dir, .dit, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .easm, .edb, .efx, .eml, .epk, .eps, .erbsql, .erf, .esm, .exf, .fdb, .ff, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fos, .fpk, .fpx, .fsh, .fxg, .gdb, .gdoc, .gho, .gif, .gmap, .gray, .grey, .groups, .gry, .gsheet, .h, .hbk, .hdd, .hkdb, .hkx, .hplg, .hpp, .htm, .html, .hvpl, .ibank, .ibd, .ibz, .icxs, .idml, .idx, .iff, .iif, .iiq, .incpas, .indb, .indd, .indl, .indt, .inx, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdb, .kdbx, .kdc, .key, .kf, .kpdx, .kwm, .laccdb, .layout, .lbf, .lck, .ldf, .lit, .litemod, .log, .lrf, .ltx, .lua, .lvl, .m, .m2, .m2ts, .m3u, .m3u8, .m4a, .m4p, .m4u, .m4v, .map, .max, .mbx, .mcmeta, .md, .mdb, .mdbackup, .mdc, .mddata, .mdf, .mdi, .mef, .menu, .mfw, .mid, .mkv, .mlb, .mlx, .mmw, .mny, .mos, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mpp, .mpqge, .mrw, .mrwref, .msg, .myd, .nc, .ncf, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .ntl, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pak, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pkpass, .pl, .plb, .plc, .plt, .plus_muhd, .pmd, .png, .po, .pot, .potm, .potx, .ppam, .ppj, .ppk, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prf, .prproj, .ps, .psafe3, .psd, .psk, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qdf, .qed, .qic, .r3d, .ra, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rgss3a, .rim, .rm, .rofl, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sb, .sd0, .sda, .sdf, .ses, .shx, .sid, .sidd, .sidn, .sie, .sis, .sldasm, .sldblk, .sldm, .sldprt, .sldx, .slm, .snx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .sum, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .syncdb, .t12, .t13, .tap, .tax, .tex, .tga, .thm, .tif, .tlg, .tor, .txt, .upk, .v3d, .vbox, .vcf, .vdf, .vdi, .vfs0, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpk, .vpp_pc, .vtf, .w3x, .wab, .wad, .wallet, .wav, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x11, .x3f, .xf, .xis, .xla, .xlam, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb3dm, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xxx, .ycbcra, .yuv, .zip, .ztmp

Thereafter, the ransomware looks for files that match the certain extensions and starts encrypting files with AES-256 encryption. Once a file is encrypted with Popcorn Time, it appends .filock as its extension. For instance if a file name is ‘abc.docx’ then it would be changed to ‘abc.docx.filock’. When the infection is undertaken successfully, it converts two base64 strings and save them as ransom notes called restore_your_files.html and restore_your_files.txt. Thereafter, the ransomware exhibits HTML ransom note.

image source: bleepingcomputer.com

Protection Against Ransomware

While no detector or ransomware remover has been developed until now that can help user after have been infected with it, however, users are recommended to take precautionary measures to avoid ransomware attack. Foremost amongst all is to take backup of your data. Subsequently, you can also ensure safe surfing on internet, enable ad block extension, keep an authentic anti-malware tool and also timely update software, tools, apps and program installed on your system. Apparently, you need to rely on reliable tools for the same. One such tool is Right Backup which is a cloud storage solution. It helps you save your data on cloud security with 256-bit AES encryption.

Leave a comment