Popcorn – A Different Kind of Ransomware

Ransomware, as I have said in past talks and blog posts is really nasty stuff.  And it was morphing.

First came vanilla ransomware.  We encrypt your files, you pay the ransom, we give you the key to decrypt it (usually) and most of the time (but not always) the decryption process works as described.  There is no guarantee that you won’t get reinfected or that the bad guys didn’t send a copy of your files to Outer Slovokia before encrypting them but most of the time, it works.

Now the variants – not in any particular order:

Nukeware – with nukeware you get a similar screen to ransomware saying that your files are encrypted and if you pay the ransom you will get them back, but, in reality, they have wiped your hard disk and no matter what, you are not getting your files back – at least not from the hackers.

Next comes Extortionware – with extortionware the bad guys understand that you might have a backup copy of your data and might tend to thumb your nose at them and not pay, but they have a great solution to that.  In this case they DO make a copy of your files and send them to Outer Slovokia.  The sting goes like this.  You have xx hours to pay the ransom (typically 48-96 hours).  If you don’t (because you have good backups), we will start leaking your private data on the web.  Whether these are pictures of you and your friends in their birthday suits or financial records or your email or confidential client files, you likely have stuff that you don’t want to show up on the web.  Even if you can get the stuff taken down, it likely will be seen and saved and reposted.  Imagine what would happen if someone posted Trump’s tax returns.  Sure Trump would get it taken down, but on how many other sites would it reappear – some likely out of reach of U.S. law.

This is a good time to point out that all ransomware is not fatal – although you rarely know if all of the hooks the bad guys attached are really gone.  One web site that can help tell you whether all is lost if you don’t have good backups is https://www.NoMoreRansom.org .  At this site you can upload some information and they will try to tell you what the ransomware is and if it is reversible.  This site is sponsored by Europol (the EU police) and some of the big security software companies.   Still, most ransomware is not easily reversible and you either have good backups, pay up or lose your data.

Now the new variant.


Popcorn encrypts your files like other ransomware.  They, at the moment, want one Bitcoin to free your data (about $950).

However, they offer you an option to get your files back for free. Seems nice.

Only it is not so nice.

They give you a unique link to send to your friends. If your friends click on it, their computers will be infected by the Popcorn ransomware.

If AT LEAST TWO of your friends pay the ransom, the hackers will unlock your files for free.  Sort of a get-out-of-jail-free card for you.

Lets assume you have a bit of evil in you and you send it to people who are, let’s say, not exactly your friends. Well maybe you won’t be sad if they get infected.

Of course, if you do it in a way that is traceable to you, you might get a visit from the local constabulary.  If you do it in a way that is not traceable to you, your friends are less likely to click on the link.  Of course, if you send this to your enemies, they probably won’t click on it anyway.

Still, it shows that the ransomware purveyors are certainly entrepreneurial.

Here is a screenshot of what one version of Popcorn shows after your computer is infected:

Their alternative to paying is creative.  Still backups and keeping them out in the first place are much better options.

Information for this post came from Wired.

Leave a Reply

Your email address will not be published.