News Feature | December 20, 2016

New Ransomware Forces Victims To Spread Virus For Key

Christine Kern

By Christine Kern, contributing writer

Preventing Healthcare Ransomware

New unpublished ransomware offers decryption in exchange for infecting more targets.

Ransomware has been tapped as one of the biggest cybersecurity threats of 2017 and has the potential to be even more dangerous in the future. Now, a new, unpublished ransomware has been uncovered that makes the threat more insidious: it offers decryption keys to victims in return for infecting more targets, according to Tech Target.

The new variant — Popcorn Time — was analyzed by Bleeping Computer which found that, while the strain includes some standard features of the malware, it also includes a more sinister aspect in that it offers to release access to locked data in return for infecting other users. If the initial victim shares a link to the Popcorn Time ransomware with two other users who then pay the ransom, the original victim will be provided with the key. To guarantee they cooperate, if victims input an incorrect decryption key four times, the ransomware then begins to delete files.

The ransomware is not related to the popular streaming website by the same name.

Once infected, users are given seven days to spread the virus or pay the ransom to recover data, reports. When the ransomware is downloaded, it displays a fake loading screen while it encrypts a user’s files. The virus has now been updated to encrypt files on My Desktop, My Pictures, and My Music folders as well. Once the encryption has been completed, the screen displays a countdown clock and ransom message, requiring users to pay one bitcoin (roughly $750) or to infect two other users and have them pay instead.

So far, the malware is still in development stages but it has the potential to become one of the more widespread variants of ransomware, according to The Guardian.

Brian Laing, vice president of business development and products at cybersecurity company Lastline, told Search Security, “Ransomware is the vector for innovative small or solo actors right now in the malware universe.

“This is a new approach we have not seen before — essentially giving victims the opportunity to become accomplices in the crime, in lieu of paying cash, in order to have one’s files decrypted. One would only hope that this approach is ineffectual. Most malware we have seen designed to strike a viral effect simply gain control of the users’ contact catalog so this is a curious approach.”

And while infecting others might seem to be a way to kill two birds with one stone — exacting revenge on enemies while also regaining control of your own data — Travis Smith, senior security research engineer at security software firm Tripwire warned the consequences of trading two more victims for a ransomware decryption key could be direr than people think.

“Infecting a machine you do not own is considered a criminal act in most parts of the world, and can be punishable by much more than the cost of the decryption keys,” Smith told SearchSecurity. ”The risk/reward is heavily in favor of the ransomware author for this scheme, which is what makes it an enticing endeavor for them.”