Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.

To make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.

It should be noted, that this ransomware is not related to the Popcorn Time application that downloads and streams copyrighted movies.

Want a free decryption key? Just be a scumbag!

In a move that sets a new level of scumbaggery than we have seen with other ransomware infections, the Popcorn Time developer offers a "nasty way" for a victim to get a free decryption key; by having victims help spread the ransomware. If two people become infected via the victim's "referral" link" and pay the ransom, then the victim will supposedly get a free key.

To facilitate this, the Popcorn Time ransom note will contain a URL that points to a file located on the ransomware's TOR server. At this time the server is down, so it is unsure how this file will appear or be disguised in order to trick people to install it.

Popcorn Time Referral URL
Popcorn Time Referral URL

Enter the wrong decrypt code 4 times and you files may be deleted

When Popcorn Time is executed it will display a lock screen as shown below, but filled in with various information relating to your particular installation.  For example, [UID] will be replaced with the victim's unique ID and the [WADDRESS] field will be replaced with the bitcoin address you should send payment too.

There is also a field where a victim can enter the decryption code that will be given to them if they pay the ransom.

Popcorn Time Screen
Popcorn Time Screen

The source code for this ransomware indicates that the developer may add a function that deletes a victim's files if you enter the wrong decrypt code 4 times.

Delete Files Source Code
Delete Files Source Code

Since the ransomware is still in development, it is unknown whether this is just a scare tactic or if the code for deleting files will eventually be added. As this developer has already sunken to new lows by offering the chance of free decryption keys to those who help spread the ransomware, it would not be surprising if this feature was added.

How the Popcorn Time Ransomware Encrypts a Computer

Once started, the Popcorn Time ransomware will check to see if the ransomware has been run already by checking for various files such as %AppData%\been_here and %AppData%\server_step_one. If the been_here file exists, it means the computer has already been encrypted and the ransomware will terminate itself. Otherwise, it will either download various images to use as backgrounds or start the encryption process.

As this ransomware is currently in development, it only targets a test folder on the victim's desktop called Efiles (see update below). It will search this folder for files that match certain extensions and then encrypt them using AES-256 encryption. When a file is encrypted it will have the .filock extension appended to it. So a file called test.jpg would be encrypted as test.jpg.filock.

Update 12/9/16: The ransomware has been updated to encrypt files located in My Documents, My Pictures, My Music, and the desktop.

The targeted extensions are:

.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .aaf, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aep, .aepx, .aes, .aet, .agdl, .ai, .aif, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arch00, .arw, .as, .as3, .asf, .asm, .asp, .aspx, .asset, .asx, .atr, .avi, .awg, .back, .backup, .backupdb, .bak, .bar, .bay, .bc6, .bc7, .bdb, .bgt, .big, .bik, .bin, .bkf, .bkp, .blend, .blob, .bmd, .bmp, .bpw, .bsa, .c, .cas, .cdc, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfr, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .dar, .das, .dat, .dazip, .db, .db0, .db3, .dba, .dbf, .dbx, .db_journal, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .desc, .design, .dgc, .dir, .dit, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .easm, .edb, .efx, .eml, .epk, .eps, .erbsql, .erf, .esm, .exf, .fdb, .ff, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fos, .fpk, .fpx, .fsh, .fxg, .gdb, .gdoc, .gho, .gif, .gmap, .gray, .grey, .groups, .gry, .gsheet, .h, .hbk, .hdd, .hkdb, .hkx, .hplg, .hpp, .htm, .html, .hvpl, .ibank, .ibd, .ibz, .icxs, .idml, .idx, .iff, .iif, .iiq, .incpas, .indb, .indd, .indl, .indt, .inx, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdb, .kdbx, .kdc, .key, .kf, .kpdx, .kwm, .laccdb, .layout, .lbf, .lck, .ldf, .lit, .litemod, .log, .lrf, .ltx, .lua, .lvl, .m, .m2, .m2ts, .m3u, .m3u8, .m4a, .m4p, .m4u, .m4v, .map, .max, .mbx, .mcmeta, .md, .mdb, .mdbackup, .mdc, .mddata, .mdf, .mdi, .mef, .menu, .mfw, .mid, .mkv, .mlb, .mlx, .mmw, .mny, .mos, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mpp, .mpqge, .mrw, .mrwref, .msg, .myd, .nc, .ncf, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .ntl, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pak, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pkpass, .pl, .plb, .plc, .plt, .plus_muhd, .pmd, .png, .po, .pot, .potm, .potx, .ppam, .ppj, .ppk, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prf, .prproj, .ps, .psafe3, .psd, .psk, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qdf, .qed, .qic, .r3d, .ra, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rgss3a, .rim, .rm, .rofl, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sb, .sd0, .sda, .sdf, .ses, .shx, .sid, .sidd, .sidn, .sie, .sis, .sldasm, .sldblk, .sldm, .sldprt, .sldx, .slm, .snx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .sum, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .syncdb, .t12, .t13, .tap, .tax, .tex, .tga, .thm, .tif, .tlg, .tor, .txt, .upk, .v3d, .vbox, .vcf, .vdf, .vdi, .vfs0, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpk, .vpp_pc, .vtf, .w3x, .wab, .wad, .wallet, .wav, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x11, .x3f, .xf, .xis, .xla, .xlam, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb3dm, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xxx, .ycbcra, .yuv, .zip, .ztmp

While encrypting the files, it will display a screen that pretends to be the installation of the program.

Fake Installation Screen
Fake Installation Screen

When the infection has finished encrypting a computer it will convert two base64 strings and save them as ransom notes called restore_your_files.html and restore_your_files.txt. It will then automatically display the HTML ransom note.

HTML Ransom Note
HTML Ransom Note

As already stated, this ransomware is currently in development, so many things may change over time.  As this ransomware develops, we will release new information.

Files associated with the Popcorn Time Ransomware

restore_your_files.html		
restore_your_files.txt
popcorn_time.exe

Registry entries associated with the Popcorn Time Ransomware

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Popcorn_Time" [path_to]\popcorn_time.exe

Network Communication associated with the Popcorn Time Ransomware

https://3hnuhydu4pd247qb.onion
http://popcorn-time-free.net

Installer Hashes

SHA256: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51