Ransomware Gives Free Decryption Keys to Victims Who Infect Others

Ransomware still under development called Popcorn Time forces victims to either pay the ransom, or try to infect other machines in exchange for the decryption key.

Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist.

Infected victims of the ransomware known as Popcorn Time, have the option to either pay up, or they can opt to infect two others using a referral link. If the two new ransomware targets pay the ransom, the original target receives a free key to unlock files on their PC.

“I have never seen anything like this in ransomware. This is definitely a first,” said Lawrence Abrams who runs BleepingComputer.com and who was first to report on the Popcorn Time ransomware.

Abrams examined the code Thursday after malware forensic experts at MalwareHunterTeam tweeted they had found the code on the Dark Web. The name Popcorn Time is not to be confused with the video content app that goes by the same name.

In Abrams’ analysis of the ransomware, he said it’s unclear how far along the ransomware is from being deployed, if at all. “The code is incomplete, some of the C2 servers are not working and there are important components not yet in place.”

More than 500 file types are targeted by the malware, which is configured to use AES-256 encryption to lock files with the .filock extension. According to screenshots obtained by MalwareHunterTeam and BleepingComputer.com, victims are given a week to pay the ransom or find new victims. The ransom note offers two options. There is the “fast and easy way” and “the nasty way.”

“We are sorry to say that your computer and your files have been encrypted, but wait, don’t worry. There is a way you can restore your computer and all of your files… Send the link below to other people, if two or more people will install the file and pay, we will decrypt your files for free.”


According to screenshots, the ransomware developers claim to be “a group of computer science students from Syria.” The note alleges that ransomware proceeds will go to food, medicine and shelter of Syrians impacted by war. “We are extremely sorry that we are forcing you to pay,” the message reads.

The note demands 1 bitcoin (approximately $800). Victims are limited in the number of times they can input a decryption key. “There is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key four times, the ransomware will start deleting files,” Abrams wrote in a technical analysis.

The jury is still out as to  how effective this strategy could be in finding new targets and making its authors money. “Will most people choose to break the law and try to infect other people? I guess not. But there is certainly a percentage of nasty people with low morals that will likely try it,” Abrams told Threatpost.

Suggested articles


  • Rashid Ahmed on

    Simple fix. Open up two new email accounts, spin up two new windows vm's, copy some backed up data onto the two new vm's, click on the links and let popcorn time do it's nasty thing, get your decryption key
    • henry on

      But the two new VM's will also have to pay the ransom before the original machine is set free.
    • Vilmos on

      At least 2 of the people you infected must pay. So this way you would need to pay 2 instead of 1 bitcoin :) Not a good workaround.
    • Not Infected on

      it says the victims also have to pay so it would cost 2 bitcoins instead of one...
    • Cernael on

      Won't work. Read the note again. You'll only get the decryption key if two or more people you've infected pays their ransom.
    • Brian Mc on

      Unfortunately the two referred installs must pay, according to the screenshot. So you've doubled your cost to free your files. :)
    • Reese on

      I thought that too, but the two people also have to pay before you get the key.
  • blah on

    You still have to pay on those two vms to get your first key so it's an even bigger loss?
  • corey on

    Simple way to avoid it, just use Linux
  • Grondo on

    Simple fix suggestion was just the third nasty option.
  • Josh on

    But if you open up four new email accounts, spin up four new windows vm’s, copy some backed up data onto the four new vm’s, click on the links and let popcorn time do it’s nasty thing, then pay four ransoms, do both the two previously locked machines and the original locked machine all get the decryption key? That's how MLM malware should work...:-)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.