Press "Enter" to skip to content

‘Refer a Friend’ Ransomware Program

A new, under development ransomware called Popcorn Time has a “refer a friend” option meant to appeal to the victim’s worst instincts.

Popcorn Time lock screen
All graphics in this article are courtesy Bleeping Computer, LLC. Used with permission.


If you need any proof that malware is a business much like any other — with the big exception that it’s illegal — all you have to do is look at the latest ploy being used by the currently-in-development ransomware called Popcorn Time that was discovered December 7 by MalwareHunterTeam. The folks behind the malware are incorporating a scheme to drum up business that’s directly from a Marketing 101 textbook.

If Popcorn Time grabs a computer and encrypts it’s files, the hapless victim is offered two choices to get the data returned to its pristine state. One is the traditional method — the authors of the malware call it “the fast and easy way” — of paying a ransom of a Bitcoin, which is about $773 at the current rate. If the price is too steep for the victim’s pocketbook, there’s another option that the malware authors call “the nasty way,” which is a new twist on the tried and true “refer a friend” promotions that have been used by legitimate businesses forever.

“Send the link below to other people,” the malware instructs. “If two or more people will install this file and pay, we will decrypt your files for free.”

Popcorn Time refer a friend

Voila! You are now a botnet, manually sending emails containing a malicious payload to everyone who trusts you.

The link points to a file located on a Tor server, but according to Lawrence Abrams at Bleeping Computer, the site is currently offline, so it remains to be determined what method the file uses to trick users into installing it.

Victims should think twice about searching around on the Internet to try potential unlock codes. Again according to Abrams, the source code “indicates that the developer may add a function that deletes a victim’s files if you enter the wrong decrypt code four times.”

The current lock screen (shown at the top of this article) doesn’t indicate this function, but I expect that if the feature is implemented it will, as that would offer another incentive for the victim to either cough up a Bitcoin or start throwing friends under the bus.

Popcorn Time ransom note
Click to enlarge.

Once Popcorn Time is “officially” released, it will be interesting to see how well this malicious affiliate marketing scheme pays off for the black hats behind it. My guess is that at first it will. The “refer a friend” enticement might have a short life, however. Everyday computer users just trying to get their data back won’t be good at covering their tracks, and knowingly sending malware is a crime in most jurisdictions. After a couple of publicized arrests, the option will lose its appeal.

One Comment

  1. nonya nonya December 14, 2016

    Ransomware like this is only one of many reasons to have backups!

Comments are closed.

Breaking News: