Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Bitcoin

New Ransomware Offers The Decryption Keys If You Infect Your Friends (bleepingcomputer.com) 236

MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes: "With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their decryption key (potentially).
While encrypting your files, Popcorn Time displays a fake system screen that says "Downloading and installing. Please wait" -- followed by a seven-day countdown clock for the amount of time left to pay its ransom of one bitcoin. That screen claims that the perpetrators are "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living." So what would you do if this ransomware infected your files?
This discussion has been archived. No new comments can be posted.

New Ransomware Offers The Decryption Keys If You Infect Your Friends

Comments Filter:
  • Easy (Score:4, Insightful)

    by Alumoi ( 1321661 ) on Monday December 12, 2016 @04:40AM (#53467505)

    Wipe and restore from backup. Nex!

    • Re: (Score:3, Insightful)

      by 91degrees ( 207121 )
      If people backed up, that would be a good suggestion...

      Seriously, they can probably weather the loss from the few people who are genuinely aware that you need to back this stuff up.
      • by MrKaos ( 858439 )

        But since they don't, take their money anyway and tell them you couldn't recover their files. Only then are they ready to do backups.

      • If people backed up, that would be a good suggestion...

        No it's the only suggestion.

        If they didn't backup then suggest it anyway then berate the idiots for their stupidity.

    • I wonder if this might encrypt your backup while it's online though.

      • This happened to many businesses. Live backups mean live updates to files, means all virus infected files propagate to backups.

        Offline backups, FTW.

    • Unless your nightly backup process replaced the backups of all your files with the encrypted versions.
      • by MrKaos ( 858439 )

        Unless your nightly backup process replaced the backups of all your files with the encrypted versions.

        What if it replaced all you files with an mp3 of "Careless whisper" then reported you to the RIAA?

        • Or replaced all of your .mp4s with Adam Sandler movies and reported you to the MPAA....

          • by MrKaos ( 858439 )

            Or replaced all of your .mp4s with Adam Sandler movies and reported you to the MPAA....

            See, if that was a virus it would just be funny. Not because of Adam Sandler though.

      • by dbIII ( 701233 )

        Unless your nightly backup process replaced the backups of all your files with the encrypted versions.

        In which case it's not actually a backup but just a copy.
        Thanks, you've provided a good example of the difference for future use.

    • Wipe and restore from backup. Nex!

      First Assumption - Consumers actually put forth effort to run backups.

      Second Assumption - Ransomware doesn't seek out and destroy backups.

      • Wipe and restore from backup. Nex!

        First Assumption - Consumers actually put forth effort to run backups.

        Second Assumption - Ransomware doesn't seek out and destroy backups.

        Damn, there is no hope for anyone! Nothing can be done! We're all doomed, and the computer kids from this country are now our overlords!!

    • Wipe and restore from backup. Nex!

      That's still a pain for a single day but any properly written ransomware could easily stay dormant long enough to either infect all your backups or make them old enough to be mostly worthless.

      • by dbIII ( 701233 )
        I disagree. Properly written ransomware appears to be about making a quick buck and not about existing for long enough that antivirus vendors get a chance to do something about a variant.
  • Sounds like a plot for the series...
  • by kaur ( 1948056 )
    1) my boss
    2) my mother-in-law

    I see this as win-win-win situation.
    • by MrKaos ( 858439 )

      1) my boss 2) my mother-in-law I see this as win-win-win situation.

      Ahhhh, so this is Step 3., before Profit!

    • I think you should move up the food chain.
      And if a coworker or a relative you like gets infected, then tell them you can fix it with your tech skills, and put in the secret decryption code when they're not looking. So you'll either make $B$ or you'll be a hero.
  • been_here (Score:5, Interesting)

    by breun ( 691628 ) on Monday December 12, 2016 @06:32AM (#53467761) Homepage
    From the article:

    Once started, the Popcorn Time ransomware will check to see if the ransomware has been run already by checking for various files such as %AppData%\been_here and %AppData%\server_step_one. If the been_here file exists, it means the computer has already been encrypted and the ransomware will terminate itself. Otherwise, it will either download various images to use as backgrounds or start the encryption process.

    So, everyone should just make sure %AppData%\been_here and %AppData%\server_step_one exist? :)

  • Probably restore from last full backup. You do have backups, right?

  • by Gravis Zero ( 934156 ) on Monday December 12, 2016 @07:23AM (#53467869)

    "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living."

    This is a brilliant twist on malware. These are not people from Syria but rather a story concocted to try and have you help them. It's basically, it's an alternate version of the "Nigerian Prince" that needs money to bribe his captors to release him. Logically, a person in a warzone cannot exchange bitcoin for money or goods which makes the whole thing implausible from the start. I would bet what when they tear the binary apart, they'll find that it's been compiled for the Russian locale.

    So what would you do if this ransomware infected your files?

    A) wipe your system
    B) load Linux instead of Windows
    C) restore files from backups

    • Of course these aren't computer students from Syria. It's remarkable that you're the only one pointing this out.

    • A) wipe your system
      B) load Linux instead of Windows
      C) restore files from backups

      This is what I did back in 1997 when a Windows virus wiped out my hard disk. Sadly, I was a broke college student who didn't have the money to afford backups, so I lost everything. I had to start from scratch, anyway, so I started with Linux. I had dabbled with Linux on and off since 1993, but that Windows virus was the push I needed to commit to the switch. I've never regretted it.

      • by bmo ( 77928 )

        Are you me? Nearly exact same scenario, except that Windows didn't need a virus to lose everything. It just needed to puke while backing up my files.

        I rage quitted Windows and never looked back.

        Best rage quit ever.

        --
        BMO

  • Do they mean "friends" or people I have in my address book. There's a difference; a very distinct one.

  • Why isn't it mentioned anywhere the ransomware works on Windows and only on Windows? Is it to avoid another Windows-bashing? Or is it that obvious?
    • Why isn't it mentioned anywhere the ransomware works on Windows and only on Windows? Is it to avoid another Windows-bashing? Or is it that obvious?

      It has been pointed out. Then the Windows apologists start screaming about how it can be made to work on OSX and Linux.

      Which isn't the point, because its a Windows thing.

    • by tepples ( 727027 )

      Because there's probably no positive or negative result entry in Wine AppDB.

  • FOAD to the dirty crooks, break out the live USB Linux distro of gparted, wipe the drive with --sgdisk-zap-all /dev/sda then put in a new filesystem, reinstall my favorite flavor or Linux, and be glad i keep all my personal stuff on another USB thumbdrive
  • Based on the title I think we know exactly who is behind this Malware don't have to look farther then MPAA for the funding of this program.
  • Hey guys, any of you want to try out this fantastic new software I've just got, let me give you a link, you can download it for free.

  • I have wondered about this for a while. These groups can't use cash due to it being easy to track in the mail and needing to receive the cash, They also can't do credit cards since that could be traced almost immediately and the account seized.

    Does ransomware work on the scale it exists today or larger without crypto-currency? Right now I can't think of any way to have it work on a large scale without crypto-currency.

    If ransomware really can't work without crypto-currency then this would have to be factored

  • "So what would you do if this ransomware infected your files?"

    I'd restore from backups.

    • by tepples ( 727027 )

      So what would you do if you discover that this ransomware has been slowly infecting your backups for the past several weeks?

      • So what would you do if you discover that this ransomware has been slowly infecting your backups for the past several weeks?

        Then I'd go back further than several weeks.

        My backups are separate, individualized, and not of the constantly online variety. Multiple separate drives, stored offsite, etc etc etc.

  • Appears we're looking at the unholy spawn of ransom-ware and multi-level-marketing [youtu.be]. Fetch holy water and an axe.
  • It sounds like someone has watched Ringu [wikipedia.org] too many times.
  • by onemorechip ( 816444 ) on Monday December 12, 2016 @01:15PM (#53469751)

    Sounds a lot like a pyramid scheme -- this could be illegal.

  • So what would you do if this ransomware infected your files

    Simple: I'd restore from my backups. Don't have backups? Then you are a fool.

  • So what would you do if this ransomware infected your files?

    I would find considerable pleasure in hunting down the instigator.

OS/2 must die!

Working...