Yes, this new technique has been employed by cyber criminals with the latest round of ransomware threat, dubbed Popcorn Time.
Initially discovered by MalwareHunterTeam, the new Popcorn Time Ransomware has been designed to give the victim's a criminal way of getting a free decryption key for their encrypted files and folders.
Popcorn Time works similar to other popular ransomware threats, such as the Crysis Ransomware and TeslaCrypt, that encrypt various data stored on the infected computer and ask victims to pay a ransom amount to recover their data.
But to get their important files back, Popcorn Time gives victims option to pay a ransom to the cyber criminal or infect two other people and have them pay the ransom to get a free decryption key.
What's even worse? The victims are encouraged to pay the ransom of 1 Bitcoin (~$750) within seven days to receive decryption keys stored on a remote server owned by Popcorn Time's developers.
If the ransom is not paid within this duration, the decryption key will be permanently deleted and retrieve important files will become impossible.
Moreover, the code of the ransomware is incomplete that may indicate that if victims enter the wrong decryption key four times, the Popcorn Time ransomware will start deleting victims' files.
Here's How the Popcorn Time Ransomware Threat Works:
If not, the Popcorn Time Ransomware will either download various images to use as backgrounds or start encrypting the files using AES-256 encryption. The encrypted files will have the ".filock" or ".kok" extension appended to it.
While encrypting the data, the ransomware will display a fake screen that pretends to be the installation of the program.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
As soon as the encryption is finished, it will convert two base64 strings, save them as ransom notes known as restore_your_files.html and restore_your_files.txt, and then automatically display the HTML ransom note asking for 1 Bitcoin.
Want a Free Decryption Key? Infect Two More People
If those two infected victims pay the ransom, then the first victim will supposedly get a free decryption key.
To make this possible, the ransom note contains a URL pointing to a file located on the Popcorn Time's TOR server.
Entering Wrong Decryption Key 4 Times and You are Screwed Up!
When executed, the Popcorn Time ransomware will display a lock screen filled in with various information relating to victim's particular installation.
The victim will also find a field where he/she can enter the decryption key given to them by the attacker after paying the ransom.
The source code for Popcorn Time contains a function that suggests the threat to delete files if the victim enters the wrong decryption code four times.
Since the Popcorn Time ransomware is still under development at the time of writing, many things are unclear and may change with time.