Ransomware - Popcorn Time

Popcorn Time
Decryptor Available

This ransomware was discovered by @malwrhunterteam near the end of November 2016. The ransomware is self-named. Both the file name "Popcorn_Time.exe" and the debug path denote this as "popcorn time," and the website it reaches out to includes the same name. Upon execution, the ransomware invokes a modal that appears over all other windows on the Desktop and shows that it is "Downloading and Installing" something. It's uncertain if this is to make it look like a legitimate application, but if you see such a modal, it's likely already too late. Popcorn Time drops two ransomware notes - restore_your_files.txt and restore_your_files.html. It also drops another text file in the user's AppData/Roaming folder titled "if_you_delete_you_lose_your_files.txt" and is comprised of one string, a random 32-character alphanumeric sequence. It is unknown what this is used for.

The ransomware operators state that they are from Syria, so we've labeled the threat actors to be from there. However, there's a good chance this is untrue, and it's another mechanism to entice victims to pay the ransom. Speaking of the ransom, the Popcorn Time operators demanded a 1 Bitcoin (BTC) ransom, which, at the time of compilation of the samples, was roughly $750, give or take a few dollars. To further blackmail victims, the ransom note and corresponding modal give victims seven days to pay the ransom, or the data will be lost forever. Interestingly, Popcorn Time offers a unique approach that allows victims not to have to pay the ransom. We call this mechanism an "Affiliate Program" because a victim can share a TOR link provided by the operators that contain the Popcorn Time encryptor, and the victim can share this link with at least two others. Suppose the victim can get two others to download and run the ransomware, thereby becoming Popcorn Time victims. In that case, the operators will allegedly provide the victim with a decryption key.

The ransomware uses AES-256-CBC to encrypt files and appends extensions: ".filock' and 'kok.' It is written in C# (.NET) and shares similarities with the open-source ransomware called Hidden Tear. This is another example of ransomware authors creating ransomware for "educational purposes" gone awry. This is another addition to a long list of Hidden Tear derivatives and others like it.

Ransom Notes derived from @malwrhunterteam 1 2.

Ransomware Type
Country of Origin
First Seen
Last Seen
Extortion Types
Affiliate Program
Data Russian Roulette
Direct Extortion
Extortion Timeout
Extortion Amounts
1 BTC ($750)
Crypto Wallets
Blockchain Type
Crypto Wallet
File Extension
<file name>.kok
<file name>.filock
Ransom Note Name
Samples (SHA-256)