A ransomware family named Netix (RANSOM_NETIX.A) is targeting users who use special applications to access hacked Netflix accounts, locking their files and demanding a ransom payment of $100.

First discovered by Karsten Hahn of G Data and analyzed by the Trend Micro team, this ransomware is spread via an application named "Netflix Login Generator v1.1.exe," which when executed appears to provide the user with a Netflix username and password.

Netflix Login Generator v1.1.exe app
Netflix Login Generator v1.1.exe app (via Trend Micro)

These username and password combos never work, as the ransomware authors are just buying time to let the ransomware contained within the app perform its encryption.

According to researchers, the ransomware targets only 39 file types, which is less than most other ransomware families, and it only goes after the files located in the user's "C:\Users" folder alone, and not the entire hard drive. The following file types are targeted for encryption:

.ai, .asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .epub, .flp, .flv, .gif, .html, .itdb, .itl, .jpg, .m4a, .mdb, .mkv, .mp3, .mp4, .mpeg, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .py, .rar, .sql, .txt, .wma, .wmv, .xls, .xlsx, .xml, .zip

Under the hood, when the user executes "Netflix Login Generator v1.1.exe," the file extracts and drops another file named "netprotocol.exe" on the user's machine, which it executes immediately.

This file is the actual Netix ransomware, which starts encrypting files with the AES-256 encryption algorithm, but only if the user's computer is running Windows 7 and Windows 10.

After the encryption process ends, the ransomware contacts an online server, where it sends the infection ID and other details, but from where it also downloads the ransom notes it displays on the user's machine.

The ransom notes are in the form of an image displayed as the user's desktop wallpaper, and a text file dropped on his PC.

Netix desktop wallpaper
Netix desktop wallpaper (via Trend Micro)
Netix ransom note
Netix ransom note (via Trend Micro)

The ransomware asks for $100 as payment in the Bitcoin digital currency and invites users to visit a website in order to pay the ransom and receive their decryption key.

Users can recognize Netix infections because the ransomware appends the .se extension at the end of all locked files.

Is it worth it?

"Does getting your important files encrypted worth the piracy?" the Trend Micro team asks.

The answer is obviously no. Compared to past years, Netflix is now available in over 190 countries, and a monthly subscription costs between $9 and $15, depending on your country.

Paying the $100 ransom to recover files locked by this threat is not a guarantee that users will get access back to their files neither, as many ransomware families come with bugs that make a recovery impossible in some cases.

Nowadays, crooks have understood that pirated apps are the easiest way to spread their payloads. You can be almost certain that any pirated app downloaded from torrent portals contains at least some sort of adware or infostealer, if not worse.