Yes, this new technique has been employed by cyber criminals with the latest round of ransomware threat, dubbed Popcorn Time.
Initially discovered by MalwareHunterTeam, the new Popcorn Time Ransomware has been designed to give the victim’s a criminal way of getting a free decryption key for their encrypted files and folders.
Popcorn Time works similar to other popular ransomware threats, such as the Crysis Ransomware and TeslaCrypt, that encrypt various data stored on the infected computer and ask victims to pay a ransom amount to recover their data.
But to get their important files back, Popcorn Time gives victims option to pay a ransom to the cyber criminal or infect two other people and have them pay the ransom to get a free decryption key.
If the ransom is not paid within this duration, the decryption key will be permanently deleted and retrieve important files will become impossible.
Moreover, the code of the ransomware is incomplete that may indicate that if victims enter the wrong decryption key four times, the Popcorn Time ransomware will start deleting victims’ files.
Here’s How the Popcorn Time Ransomware Threat Works:
Once infected, the Popcorn Time Ransomware will check to see if the ransomware has been run already on the PC. If yes, the ransomware will terminate itself.
If not, the Popcorn Time Ransomware will either download various images to use as backgrounds or start encrypting the files using AES-256 encryption. The encrypted files will have the “.filock” or “.kok” extension appended to it.
While encrypting the data, the ransomware will display a fake screen that pretends to be the installation of the program.
Want a Free Decryption Key? Infect Two More People
The Popcorn Time author provides a “nasty way” for a victim to get the free decryption key: Spread the Ransomware to two other people via the victim’s “referral” link.”
If those two infected victims pay the ransom, then the first victim will supposedly get a free decryption key.
To make this possible, the ransom note contains a URL pointing to a file located on the Popcorn Time’s TOR server.
Entering Wrong Decryption Key 4 Times and You are Screwed Up!
When executed, the Popcorn Time ransomware will display a lock screen filled in with various information relating to victim’s particular installation.
The victim will also find a field where he/she can enter the decryption key given to them by the attacker after paying the ransom.
The source code for Popcorn Time contains a function that suggests the threat to delete files if the victim enters the wrong decryption code four times.
Since the Popcorn Time ransomware is still under development at the time of writing, many things are unclear and may change with time.