Ransomware and Ponzi Scheme: A nasty combo of malware

Ransomware Malware
The message that gets displayed after PopCorn Time malware gets installed

Popcorn time is a new breed of malware that combines WannaCry virus with a Ponzi, or pyramid scheme. It’s a ransomware variant that increases infections by offering the affected user to attack other people by offering a pyramid scheme style discount.

For instance, once your computer is affected by Popcorn and locked due to the ransomware, the hackers would ask you to forward the link to malware to two other people and once they pay the ransom, your files will be decrypted for free.

Note: The malware used the name of torrenting site Popcorn Time but has no connection to the torrenting app.

When Was It Discovered?

The nasty scheme was first discovered in December 2016 by a team of security researchers at MalwareHunterTeam. “Popcorn Time” was “a very unusual, and criminal, way for users to get a free decryption key for their files”, wrote Lawrence Abrams of Bleeping Computer.

MalwareHunterTeam lets affected users to “upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted their data“.

Who’s Behind The Malware?

The message being displayed after Popcorn Time attacks a computer shows that it is controlled by a group of computer science students from war-torn Syria. The message reads “Be perfectly sure that the money we get goes toward food, medicine, and shelter to our people. We are extremely sorry we are forcing you to pay but that’s the only way we can go on living.”

Ransomware Malware PopCorn
Message posing to show who’s behind the malware

How The Malware Works?

The Bleeping Computer explains the process:

  • Once executed, the “Popcorn Time” malware will display a lock screen on the infected user’s computer screen.
  • Upon starting, the code checks if the ransomware was run already. It does so by checking for files such as:
    • %AppData%\been_here
    • %AppData%\server_step_one
  • Once it is confirmed that this is a new target, the malware downloads various images to be used as backgrounds & starts the encryption process.
  • It targets EFiles folder on the desktop and encrypts the files using AES-256 encryption

The ransomware cum Ponzi scheme works in the same way as a normal ransomware infects a computer. A major difference is the recruitment of the infected user as a means to forward the malware link to two more people and once they install the infected files, the first person affected by the attack is able to get back the files for free without having to pay the ransom.

What to do about it?

The two most important steps you can take are to backup your data and avoid suspicious downloads.

Nasty hackers are inventing new ways of breaking into systems and ripping off people of their valuable data and money. Another recent malware was spread using the movie subtitles whereby vulnerabilities found in four popular streaming platforms i.e. VLC, Kodi (XBMC), Popcorn-Time and strem.io to mount cyber attacks and threaten millions of users worldwide.


Leave a Reply

Your email address will not be published. Required fields are marked *

Categories: Internet Security and Privacy News