New Ransomware Offers The Decryption Keys If You Infect Your Friends (bleepingcomputer.com) 236
MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes:
"With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their decryption key (potentially).
While encrypting your files, Popcorn Time displays a fake system screen that says "Downloading and installing. Please wait" -- followed by a seven-day countdown clock for the amount of time left to pay its ransom of one bitcoin. That screen claims that the perpetrators are "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living." So what would you do if this ransomware infected your files?
While encrypting your files, Popcorn Time displays a fake system screen that says "Downloading and installing. Please wait" -- followed by a seven-day countdown clock for the amount of time left to pay its ransom of one bitcoin. That screen claims that the perpetrators are "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living." So what would you do if this ransomware infected your files?
Easy (Score:4, Insightful)
Wipe and restore from backup. Nex!
Re: (Score:3, Insightful)
Seriously, they can probably weather the loss from the few people who are genuinely aware that you need to back this stuff up.
Re: (Score:2)
But since they don't, take their money anyway and tell them you couldn't recover their files. Only then are they ready to do backups.
Re: (Score:3)
If people backed up, that would be a good suggestion...
No it's the only suggestion.
If they didn't backup then suggest it anyway then berate the idiots for their stupidity.
Re: (Score:3)
I wonder if this might encrypt your backup while it's online though.
Re: (Score:2)
This happened to many businesses. Live backups mean live updates to files, means all virus infected files propagate to backups.
Offline backups, FTW.
Re: (Score:2)
ZFS also has SEND / RECEIVE to mirror snapshots to other ZFS installations on another machine. So yes, ZFS Snapshots pretty much *ARE* proper backups when implemented correctly, without the need or any other utilities.
Re: (Score:2)
Re: (Score:2)
Unless your nightly backup process replaced the backups of all your files with the encrypted versions.
What if it replaced all you files with an mp3 of "Careless whisper" then reported you to the RIAA?
Re: (Score:2)
Or replaced all of your .mp4s with Adam Sandler movies and reported you to the MPAA....
Re: (Score:2)
Or replaced all of your .mp4s with Adam Sandler movies and reported you to the MPAA....
See, if that was a virus it would just be funny. Not because of Adam Sandler though.
Re: (Score:2)
Unless your nightly backup process replaced the backups of all your files with the encrypted versions.
In which case it's not actually a backup but just a copy.
Thanks, you've provided a good example of the difference for future use.
Re: (Score:2)
Wipe and restore from backup. Nex!
First Assumption - Consumers actually put forth effort to run backups.
Second Assumption - Ransomware doesn't seek out and destroy backups.
Re: (Score:2)
Wipe and restore from backup. Nex!
First Assumption - Consumers actually put forth effort to run backups.
Second Assumption - Ransomware doesn't seek out and destroy backups.
Damn, there is no hope for anyone! Nothing can be done! We're all doomed, and the computer kids from this country are now our overlords!!
Re: (Score:2)
Wipe and restore from backup. Nex!
That's still a pain for a single day but any properly written ransomware could easily stay dormant long enough to either infect all your backups or make them old enough to be mostly worthless.
Re: (Score:2)
Re: (Score:2)
Hosts files aren't a universal fix, bro. Sometimes you just need to keep offline backups.
Re: (Score:2)
Black Mirror? Is that you? (Score:2)
Easy solution (Score:2, Funny)
2) my mother-in-law
I see this as win-win-win situation.
Re: (Score:2)
1) my boss 2) my mother-in-law I see this as win-win-win situation.
Ahhhh, so this is Step 3., before Profit!
Re: (Score:2)
And if a coworker or a relative you like gets infected, then tell them you can fix it with your tech skills, and put in the secret decryption code when they're not looking. So you'll either make $B$ or you'll be a hero.
been_here (Score:5, Interesting)
So, everyone should just make sure %AppData%\been_here and %AppData%\server_step_one exist? :)
What would I do? (Score:2)
Probably restore from last full backup. You do have backups, right?
All part of the scam. (Score:5, Insightful)
"a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living."
This is a brilliant twist on malware. These are not people from Syria but rather a story concocted to try and have you help them. It's basically, it's an alternate version of the "Nigerian Prince" that needs money to bribe his captors to release him. Logically, a person in a warzone cannot exchange bitcoin for money or goods which makes the whole thing implausible from the start. I would bet what when they tear the binary apart, they'll find that it's been compiled for the Russian locale.
So what would you do if this ransomware infected your files?
A) wipe your system
B) load Linux instead of Windows
C) restore files from backups
Re: (Score:2)
Of course these aren't computer students from Syria. It's remarkable that you're the only one pointing this out.
Re: (Score:2)
A) wipe your system
B) load Linux instead of Windows
C) restore files from backups
This is what I did back in 1997 when a Windows virus wiped out my hard disk. Sadly, I was a broke college student who didn't have the money to afford backups, so I lost everything. I had to start from scratch, anyway, so I started with Linux. I had dabbled with Linux on and off since 1993, but that Windows virus was the push I needed to commit to the switch. I've never regretted it.
Re: (Score:2)
Are you me? Nearly exact same scenario, except that Windows didn't need a virus to lose everything. It just needed to puke while backing up my files.
I rage quitted Windows and never looked back.
Best rage quit ever.
--
BMO
Re: (Score:2)
Re: (Score:2)
Linux malware is actually just the mindset of the people that use it
Just ask a random user what they think of systemd.
"Friends" (Score:2)
Do they mean "friends" or people I have in my address book. There's a difference; a very distinct one.
Re: (Score:2)
It's on Windows (Score:2)
Re: (Score:2)
Why isn't it mentioned anywhere the ransomware works on Windows and only on Windows? Is it to avoid another Windows-bashing? Or is it that obvious?
It has been pointed out. Then the Windows apologists start screaming about how it can be made to work on OSX and Linux.
Which isn't the point, because its a Windows thing.
Re: (Score:2)
Because there's probably no positive or negative result entry in Wine AppDB.
i would just say (Score:2)
Popcorn Time? (Score:2)
Hey Guys, (Score:2)
Hey guys, any of you want to try out this fantastic new software I've just got, let me give you a link, you can download it for free.
Would this work without crypto-currency? (Score:2)
I have wondered about this for a while. These groups can't use cash due to it being easy to track in the mail and needing to receive the cash, They also can't do credit cards since that could be traced almost immediately and the account seized.
Does ransomware work on the scale it exists today or larger without crypto-currency? Right now I can't think of any way to have it work on a large scale without crypto-currency.
If ransomware really can't work without crypto-currency then this would have to be factored
What would I do? (Score:2)
"So what would you do if this ransomware infected your files?"
I'd restore from backups.
Re: (Score:2)
So what would you do if you discover that this ransomware has been slowly infecting your backups for the past several weeks?
Re: (Score:2)
So what would you do if you discover that this ransomware has been slowly infecting your backups for the past several weeks?
Then I'd go back further than several weeks.
My backups are separate, individualized, and not of the constantly online variety. Multiple separate drives, stored offsite, etc etc etc.
Re: (Score:2)
You're lucky if a few weeks isn't worth dramatically more than a Bitcoin (or perhaps unlucky).
A few weeks on my home PC wouldn't be worth shit.
My email is all online so that's not a worry; the rest of my stuff is backed up frequently enough so it's not a big deal. And yes, I go in and spot-check a few files from time to time so if they were being bunged up I'd (probably) know about it.
Even so, if my entire PC were to blow up or get stolen it's not like my life would come to an end. It would be a medium-sized inconvenience for a little while, but also a nice excuse to go out and buy a new one. :)
Two treats in one ... (Score:2)
Seems familiar... (Score:2)
Pyramid scheme? (Score:5, Funny)
Sounds a lot like a pyramid scheme -- this could be illegal.
What I would do if infected (Score:2)
So what would you do if this ransomware infected your files
Simple: I'd restore from my backups. Don't have backups? Then you are a fool.
Chmeee's Solution (Score:2)
So what would you do if this ransomware infected your files?
I would find considerable pleasure in hunting down the instigator.
Re:Well, then (Score:5, Insightful)
^ Ignore previous comment, I'm a doofus who didn't carefully read the summary, much less the article.
Re:Well, then (Score:4, Funny)
Phone Rings:
Creepy voice:"Seven days..."
Re: (Score:2)
I made the same exact mistake on another forum. I didn't see the "if the friends paid up" bit either.
Long term, I do wonder if this might become an actual infection vector, where people try to get others to run software just to get them infected in order for them to get a decryption key, as opposed to paying ever-higher currency costs for BitCoins.
Re: (Score:2)
Sheesh, I'm getting lots of karma both for my wrong post, and for the correction I posted to it. It's a strange world...
Re: (Score:2)
The name is probably just a clickbait to trick more users into installing the malware.
IMHO the movie industry should have embraced the popcorn time distribution model, maybe with some encryption, and make the content paid-for/ads-subsidized (that's just an example, there are countl
Re:Well, then (Score:5, Insightful)
No, the answer is not paying a ransom, or infecting friends (or VMs). The correct answer is to reformat the storage and restore from a backup.
Re: (Score:2)
The answer is a slow, torturous, painful, publicly televised death for the perpetrators of such actions...
Re: (Score:2)
The answer is a slow, torturous, painful, publicly televised death for the perpetrators of such actions...
I like this idea and would happily contribute to a Kickstarter campaign to help make it a reality.
Re: (Score:2)
If you look at some of the guys that walk up to those girls on the street you would believe it. It's Russian roulette with random violent psychos in some cases according to police reports.
Re: (Score:2)
That doesn't mean, given merely adequate means, that they would suddenly perceive stability. To cover the fear of financial instability, they'd need means that eliminate any financial strain. These women have been trained, through long years of effort, to identify any financial trouble as lethal to their quality-of-life, and to respond by engaging in prostitution; giving ground has always been the path to homelessness, starvation, and utter self-destruction, and so they have learned an impulse to avoid a
Re: (Score:2)
You should get out more and you'll see that your strawman is vanishingly rare.
Re: (Score:2)
This guy just keeps spouting this pie-in-the-sky/Star Trekian economic "plan" in pretty much every thread...
Re: (Score:2)
Star Trek's economy is a post-scarcity economy where everything is free because there's basically no labor involved.
My Universal Social Security plan assumes capitalism is the only economic behavior. People apply labor to make things, and trade their labor time to acquire other things; and people organize to minimize their effort and maximize their returns. This is called "economizing", or maximizing the ends derived from your means.
The core concept of economy is thus profit: you seek to do little an
Re: (Score:2)
Actually, not really. Whenever it comes up, I get a lot of people railing against it. One of the big strawmen I keep hearing is "we need the businesses to pay," talking about minimum-wage, when I've suggested that people's income will go up over time outside of wages (and I suggest lowering payroll taxes as well). People also constantly talk about reclaiming the CEO's salary, for some reason.
It's a highly-common response. The conservative middle-class in America more often just claims that there are b
Re: (Score:2)
I'm serious. Go talk to someone that actually reads more than one book a year instead of a ranting nincompoop.
It's a big world out there.
Re: (Score:2)
People who read more than one book a year fall into two classes: people reading Hillary Clinton/Mike Savage and their ilk, or people reading lots of fantasy and scifi novels. The former are going to rant and rave about the rich taking all the fucking money or the poor being too lazy to get off welfare; the latter might do that, too, or they might have a lesser opinion.
Among the more moderates, I've found that people insist that giving free money without a beating stick attached will result in everyone
Re: (Score:2)
"So what would you do if this ransomware infected your files?"
The correct answer is to reformat the storage and restore from a backup.
In a world of Password1, I wonder what the percentage is of people who actually have any backup at all. Gotta be pretty low.
Most people are the type who used to put electrical tape over their blinking VCR lights, so backing up their computer simply doesn't happen - a combination of laziness and avoiding reading instructions.
A friend for some crazy reason took her computer to an on-campus computer help for an update. I guess she thought I was too busy or something. Well, the Windows guy hosed her Mac. S
Re: (Score:2)
Which in the context of ransomware is precisely the wrong advice - you need *offline* backups to recover, since the malware will happily encrypt any and all drives it can find. Backup to one or more external hard drives yes, but don't leave it/them connected routinely.
No, I probably should have explained more - it was her work laptop, so the only part of it being used at home was the backing up.
Re: (Score:2)
If they actually tried, there are meta-scams that don't actually do anything they just pretend to hold your files hostage. It's like robbing someone with a replica gun, if the victim can't tell and you don't try to shoot anything it works just the same. The kind of victim they're looking for with lots of high-value data and no backups is probably just going to panic and pay anyway, since it's pretty much established that there is no "fix" for a crypto-locked machine.
Re: (Score:2)
Re: (Score:2)
but even just turning the computer off would work
Not always - if you're computer illiterate and your browser is set to save state, it will come back to the same page again when you open it. (I have been asked and paid to fix this multiple times AFTER a reboot).
Re: (Score:3)
Yeah every now and then I'll see a full screen Chrome pop up claiming to have encrypted everything (and that they're the FBI, and can be paid via Wahlgreens gift cards or some nonsense)
Lol, yes, my neighbor saw this on his Chromebook and brought it over to my place in a panic.
I asked him if he thought the FBI really took payments, and if so, that they would take them by Western Union or iTunes cards or whatever. lol
We closed the tab and he went back home a little bit wiser. Not much, but a little bit.
Re: (Score:2)
I asked him if he thought the FBI really took payments, and if so, that they would take them by Western Union or iTunes cards or whatever.
The DEA and other law enforcement agencies take payments. Why wouldn't the FBI?
Re: (Score:2)
My Dad occasionally gets these on his Mac. He calls them via Skype at the number provided, then plays the "I'm the crazy old man who can't understand anything you're trying to tell me because I'm old and hard of hearing" card.
He enjoys it a lot.
Re: (Score:2)
So basically the whole point of your post is to show off that you're running Linux and you have backups. Congratulations on being a twat.
I wonder how many Linux people have two friends to infect?
Re:Well, then (Score:4, Funny)
I wonder how many Linux people have two friends to infect?
Necessity drives innovation.
Re: (Score:2)
I wonder how many Linux people have two friends to infect?
Necessity drives innovation.
You don't mean........ come out..... of mom's basement?
side note - I'm a guy who uses Linux, but loves to make fun of anyone.
Re: (Score:3)
Both my friends are deadbeats. :(
Re: (Score:2, Insightful)
Re: (Score:2)
lol. Don't break an arm patting yourself on the back just because you don't use windows.
You have to admit, the installed user base of malware is best on Windows, those Mac Hipsters and Linux geeks are never going to catch up to you guys.
Re: (Score:2)
Who is going to save me from this dangerous hack?
Rege Dit.
Re: (Score:2)
Who is going to save me from this dangerous hack?
Me, for a nominal fee* of course
*payable in advance, non refundable, results not guaranteed
Re: (Score:2)
What? Windows only?
I don't know. Currently I don't have a spare physical machine on which I'm willing to test it in Wine.
Re: (Score:2)
Re:Fucking Muslims (Score:5, Informative)
I bet it blows your mind that the people they're fighting are also muslims.
Because...?
I was walking across a bridge one day, and I saw a man standing on the edge, about to jump. I ran over and said: "Stop. Don't do it."
"Why shouldn't I?" he asked.
"Well, there's so much to live for!"
"Like what?"
"Are you religious?"
He said: "Yes."
I said: "Me too. Are you Christian or Buddhist?"
"Christian."
"Me too. Are you Catholic or Protestant?"
"Protestant."
"Me too. Are you Episcopalian or Baptist?"
"Baptist."
"Wow. Me too. Are you Baptist Church of God or Baptist Church of the Lord?"
"Baptist Church of God."
"Me too. Are you original Baptist Church of God, or are you Reformed Baptist Church of God?"
"Reformed Baptist Church of God."
"Me too. Are you Reformed Baptist Church of God, Reformation of 1879, or Reformed Baptist Church of God, Reformation of 1915?"
He said: "Reformed Baptist Church of God, Reformation of 1915."
I said: "Die, heretic scum," and pushed him off.
Religious wackos can rant and rave about people who believe in false gods or worse no gods at all, but worst of all are those who believe in a "perverted" version of their own god and those who've abandoned the faith. Not sure what your point is though, I care about how many people want to kill me, how many other people they want to kill is of lesser concern.
Reformation of 1879 (Score:3)
Re: (Score:2)
Nice story, but you've kinda missed the point.
"The people they're fighting are other Muslims" - that's not the important bit. The important bit is the corollary: almost all the people who are in the front lines fighting against ISIS are Muslims.
They're also all humans, so we ought to kill all humans, everywhere.
Re: (Score:2)
You are the stupidest person alive if you think any money goes to help anyone other than the writers of the ransomware.
Re: (Score:2)
And there he is - I thought you were dead or something - I've not read your mindless drivel on here in ages! I'd say "welcome back" but you're not.
Re: (Score:2, Insightful)
Re:I would restore (Score:5, Insightful)
In the unlikely event this actually would happen, then I would restore.
My backups are secure. So I would restore from a backup. That wasn't too hard was it?
Backups work great for random acts of god but not necessarily for ransomware. It would be fairly trivial to create ransomware that slept a random amount of time before encrypting your files or even worse encrypt your files and then continue to function like normal for several weeks before alerting you. By that time, all your backups are also infected and even if you have a really old backup you won't have any of the recent stuff from that last several weeks or months since the initial infection. For all the people on here that are bragging about backups, even if you catch it the same day and restore it is still a huge pain and chances are if written properly it could easily be written in a way that the backups are also infected.
Re: (Score:2)
Re: (Score:2)
Backups work great for random acts of god but not necessarily for ransomware. It would be fairly trivial to create ransomware that slept a random amount of time before encrypting your files or even worse encrypt your files and then continue to function like normal for several weeks before alerting you. By that time, all your backups are also infected and even if you have a really old backup you won't have any of the recent stuff from that last several weeks or months since the initial infection. For all the people on here that are bragging about backups, even if you catch it the same day and restore it is still a huge pain and chances are if written properly it could easily be written in a way that the backups are also infected.
Of course its a pain, and no system is foolproof. My own personal backup system doesn't have offsite storage in a fireproof container inside a guarded vault. But there is that old saying about how perfection is the biggest enemy of good enough, which is the road you are on.
And since probably 80 percent of users have no backup at all, there is a lot of low hanging fruit before the bad guys get to multiple file backups and multiple image users.
Re: (Score:2)
My own personal backup system doesn't have offsite storage in a fireproof container inside a guarded vault.
And since probably 80 percent of users have no backup at all, there is a lot of low hanging fruit before the bad guys get to multiple file backups and multiple image users.
It's not about the quality of the backup. It's that in order to effectively propagate a virus needs to lay low for a while so that it can get to multiple systems. If it immediately bricks your system then it can't propagate. This means that by the time it announces to you that you are infected that you have likely been infected for quite a while so all your backups are also infected. If you're lucky and your backup files aren't already encrypted then it might be possible to clean the backup before you r
Re: (Score:2)
It's that in order to effectively propagate a virus needs to lay low for a while so that it can get to multiple systems. If it immediately bricks your system then it can't propagate.
Great, now you've told the crypto malware guys how to really screw us. Thanks a lot, jerk!
Re: (Score:2)
It would be kind of a massive giveaway when your files don't fit on the backup because so much has changed at once. Just doing a daily tar of everything is impractical in most cases so nearly every non-trivial backup system does incremental backups.
Re: (Score:2)
If the file is encrypted "data", you can restore it to yesterday. If it is binary executable, restoring it to a few months ago shouldn't be that painful. Then you checksum the executables, add in updates, and you're good to go.
For the virus to be effective it has to be executed at some point. So you restore those to last known safe date. The data, which isn't executed isn't going to be re-sourcing the virus any time soon.
Backups aren't an indivisible thing unless you are using MS's image backups -- whic
Re: (Score:2)
There are many copies and most of are offline.
Plus, they are encrypted themselves, and only mounted during the actual backup window.
So the malware needs to be really smart to catch that window, and then it has to be smart enough to catch the verify cycle.
Again, none of this matters. A virus doesn't need to know anything about your backups, your backup windows, your encryption or even whether the backups even exist to infect them. In order for a virus to be effective it has to lay low for a while so that it has time to propagate. It's the reason that ebola is not really a huge issue. It kills too fast. By the time that a virus announces to you that you are infected then likely all your backups are also infected. It just has to wait a few weeks for yo
And people who back up to a network share, or rota (Score:2)
There are a lot of people who backup to a network share, and others who keep only one copy of backups. Most ransomware will encrypt network shares as well. People who have only one copy are hoping nothing goes wrong at night; in the morning they'll have two copies pg garbage.
I created a backup / warm spare system based on read-only rsync pull to a remote server that keeps several de-duplicated copies, and makes each backup bootable as a VM. I called it Clonebox.
Re: (Score:2)
I created a backup / warm spare system based on read-only rsync pull to a remote server that keeps several de-duplicated copies, and makes each backup bootable as a VM. I called it Clonebox.
Do you have a HOWTO or similar? I want to set up something like this with a new server (best practices from the start, so I hope)
Can't release it right now, company sells for $25 (Score:2)
Right now I can't release the documentation because the company I used to work for sells it, with off-site backups to their cloud. If you remind me a month from now, I may be able to release something.
Re:Oh Yeah, your so poor (Score:5, Funny)