Victims Offered A Criminal Choice by “Popcorn Time” Ransomware

New methods of spreading ransomware are constantly being developed; however, a new ransomware variant discovered by MalwareHunterTeam researchers called “Popcorn Time” appears to use tactics that have never before been seen.

When Popcorn Time ransomware has infected a victims device they are given a choice between two options: They can pay the ransom and thereby regain access to their encrypted files, or, rather more unusually, they can opt to obtain the decryption key for free. Free? Not exactly. The second option is that they must agree to spread the ransomware and infect at least 2 other computers, giving the attackers a two for one deal. Two ransom payments may ultimately be paid instead of one.

Even if the initial victim complies with the requirements of option 2 (i.e. to infect two more computers) there is no guarantee that the attackers will honour their offer. The encrypted files could remain locked and the attackers may ultimately receive 3 ransom payments rather than only one.

A victim who knowingly spreads the ransomware in order to avoid paying a ransom demand commits a crime. Victims may save themselves the cost of paying the 1 Bitcoin ransom payment (approximately $780) but should their actions be discovered by police, a subsequent criminal prosecution may prove to be far more costly.

Another peculiarity of Popcorn Time ransomware is that victims might be punished for entering a decryption key that is incorrect. The version captured by MalwareHunterTeam does not include the code for deleting files, however messages will be displayed to victims which indicate that files are going to be deleted should they continue to attempt to guess the decryption key. Following four incorrect attempts the attackers might permanently delete every one of the encrypted files. Whether or not the code will be added when the Popcorn Time ransomware is finished remains unknown.

The ransomware encrypts files that have been saved to the My Documents folder, My Pictures, My Music, and Desktop folders and then locks them employing AES-256 encryption. Victims have one week from the date of infection to make their decision.

The folders and files that are encrypted would appear to indicate that Popcorn ransomware was developed in order to target private individuals rather than companies or large organisations. That said, it should be noted that the ransomware is still being developed and additional file locations could well be added to later versions.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at