New ransomware gives victims their files back – if they infect their friends
12 December 2016 |
Cyber criminals have developed a new type of ransomware that offers victims a way out - by infecting their contacts' computers.
Popcorn Time, brought to light by MalwareHunterTeam on Twitter, encrypts Windows computers' files and threatens to destroy them unless users pay one Bitcoin (£616).
However, unlike other ransomware threats, it promises to provide a decryption key if its victims send a malicious link to two other people who become infected and pay up.
If users do not pay the ransom or spread the malware, it deletes their files in seven days - although there is no guarantee that their data will be decrypted even if they comply.
The cyber criminals behind the attack claim to be Syrian, promising that money earned by the ransomware will go towards "food, medicine and shelter to those in need".
"We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living," says the malware's ransom note, which is displayed to infected users.
“Popcorn Time is certainly an interesting new variant in the long line of ransomware we’ve seen emerging in recent years,” said Fraser Kyne, CTO for the EMEA region at Bromium. “The offer of a free decryption key for those that successfully infect two of their ‘friends’ is a particularly nasty touch for several reasons.
“Firstly, the cyber criminals are playing on the trust factor, knowing that people are much more likely to open an email or attachment that comes from somebody they know.
“However, even if both the secondary victims do fall into the trap, the likelihood of them both paying the ransom is pretty low, so the initial victim may have to spread the net far wider before they get the promised decryption key. When you do the maths on that, it’s pretty clear that Popcorn Time could spread like wildfire.
“For enterprises, as well as the threat of Popcorn Time locking up corporate data, there is also a huge reputational risk if it emerges that employees are spreading it to others via their work email. This is clearly a board-level concern, so CISOs should be looking at what safeguards they can put in place to prevent it.
“Employee awareness is of course vital, making everyone aware of the threat and outlining the steps to take if they are infected. However, with 70 per cent of threats introduced by users, experience tells us that there will always be one who didn’t get the memo.
“As such, it’s important to have a safety net such as micro-virtualisation in place to ensure that even if a user does become infected with Popcorn Time, it is restricted to an isolated environment and effectively neutralised, so there’s no need for that free decryption key.”