Ransomware - Popcorn Time

Popcorn Time
Decryptor Available
No
Description

This ransomware was discovered by @malwrhunterteam near the end of November 2016. The ransomware is self-named. Both the file name "Popcorn_Time.exe" and the debug path denote this as "popcorn time," and the website it reaches out to includes the same name. Upon execution, the ransomware invokes a modal that appears over all other windows on the Desktop and shows that it is "Downloading and Installing" something. It's uncertain if this is to make it look like a legitimate application, but if you see such a modal, it's likely already too late. Popcorn Time drops two ransomware notes - restore_your_files.txt and restore_your_files.html. It also drops another text file in the user's AppData/Roaming folder titled "if_you_delete_you_lose_your_files.txt" and is comprised of one string, a random 32-character alphanumeric sequence. It is unknown what this is used for.

The ransomware operators state that they are from Syria, so we've labeled the threat actors to be from there. However, there's a good chance this is untrue, and it's another mechanism to entice victims to pay the ransom. Speaking of the ransom, the Popcorn Time operators demanded a 1 Bitcoin (BTC) ransom, which, at the time of compilation of the samples, was roughly $750, give or take a few dollars. To further blackmail victims, the ransom note and corresponding modal give victims seven days to pay the ransom, or the data will be lost forever. Interestingly, Popcorn Time offers a unique approach that allows victims not to have to pay the ransom. We call this mechanism an "Affiliate Program" because a victim can share a TOR link provided by the operators that contain the Popcorn Time encryptor, and the victim can share this link with at least two others. Suppose the victim can get two others to download and run the ransomware, thereby becoming Popcorn Time victims. In that case, the operators will allegedly provide the victim with a decryption key.

The ransomware uses AES-256-CBC to encrypt files and appends extensions: ".filock' and 'kok.' It is written in C# (.NET) and shares similarities with the open-source ransomware called Hidden Tear. This is another example of ransomware authors creating ransomware for "educational purposes" gone awry. This is another addition to a long list of Hidden Tear derivatives and others like it.

Ransom Notes derived from @malwrhunterteam 1 2.

Ransomware Type
Crypto-Ransomware
Country of Origin
Syria
First Seen
Last Seen
Lineage
Extortion Types
Affiliate Program
Data Russian Roulette
Direct Extortion
Extortion Timeout
Extortion Amounts
Amount
1BTC($750)
Encryption
Type
Symmetric
Files
AES-256-CBC
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
1LEiPgvh6S9VEXWV2dZTytSRd7e9B1bWt3
File Extension
<file name>.kok
<file name>.filock
Ransom Note Name
restore_your_files.txt
restore_your_files.html
Samples (SHA-256)
309e4200700bc9fe99a624dc3e2c0b2f305c65b1739de97a67c6126a55e199fe
31d633173d9ccf0b965ca3d620b1597f353b0aa151d846a927ef2f0bd92a7cbb
5f79f41ff185debedb77ab520b99b4a27f91d3c935bdddcae0ddfe71e2c10b0b
ac14ef9548440238b903dc11480d653f83badc99392758da3fa90a1127d86313
fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51