FANDOM


Popcorn Time is a ransomware-type virus discovered by security researcher MalwareHunterTeam.

Payloads

Following infiltration, Popcorn Time encrypts various data stored on the infected computer. During encryption, this ransomware appends the names of encrypted files with the ".kok" or ".filock" extension. Following successful encryption, Popcorn Time opens a pop-up window and creates an HTML file ("restore_your_files.html"), placing it on the desktop. Both contain ransom-demand messages.

The messages inform victims of the encryption. The key is stored on a remote server owned by Popcorn Time's developers. Therefore, victims are encouraged to pay a ransom of 1 Bitcoin (approximately $750) to receive it. If the ransom is not paid within seven days, the key is permanently deleted and decryption becomes impossible. Popcorn Time has one feature making it unusual amongst ransomware-type viruses: it allows victims to decrypt their files free of charge using an affiliate link provided. Victims must promote this link to other users so that their computers are infected. If at least two of these other people pay the ransom, files are decrypted free of charge. The ransom demand message states that Popcorn Time's developers are students from Siria. They claim that the reason why they make these ransom demands is hunger in Syria. All payments are supposedly used to help refugees and impoverished people of this nation.

Text presented within Popcorn Time HTML file:

Warning Message!!
We are sorry to say that your computer and your files have been encrypted, but wait, 
don’t worry. There is a way that can restore your computer and all of your files. When 
countdown ends your files will be lost forever.
You must send at least [AMOUNT] Bitcoin to our wallet and your will get your files 
back.
Your personal unique ID: - 
Send [AMOUNT] BTC to this address: 1LEiPgvh6S9VEXWV2dZTytSRd7e9B1bWt3
Warning Message!!
********************
We are sorry to say that your computer and your files have been encrypted,
but wait, don’t worry. There is a way that you can restore your computer and all of 
your files.
****************************************************************************************************
Your personal unique ID: - 
You must send at least - Bitcoin to address - to get your files back
Warning! ! ! If you will not pay for the next 7 days, the decryption key will be deleted 
and your files will be lost forever.
****************************************************************************************************
Restoring your files - The fast and easy way
To get your files fast, please transfer - Bitcoin, to our wallet -. When we will get the 
money we will immediately give your your private decryption key. Payment should be 
confirmed in about 2 hours after payment made.
Restoring your files - The nasty way
Send the link - below to other people, if two or more people will install this files and 
pay, we will decrypt your files for free.
What we did?
We had encrypted all of your important images, document, videos and all other files 
on your computer. We used a very strong encryption algorithm that used by all 
governments all over the world. We store your personal decryption code to your files 
on our servers and we are the only ones that can decrypt your files. Please don’t try 
to be smart, anything other than payment will cause damage to your files and the files 
will be lost forever! ! ! If you will not pay for the next 7 days, the decryption key will 
be deleted and your files will be lost forever.
What we do that?
We are a group of computer science students from Syria, as you probably know Syria 
is having bad time for the last five years. Since 2011 we have more the half million 
people died and over 5 million refugees. Each member of our team has lost a dear 
from his family. I personally have lost both my parents and my little sister in 2015. 
The sad part is that the world remained silent and no one helping us so we decided to 
take an action.
How to buy Bitcoins?
If you aren’t familiar with Bitcoin and don’t know what is it. Please visit the official 
Bitcoin website (https://bitcoin.org/en/getting-started), follow the steps and you’ll get 
your Bitcoins. To understand more you can check also on the FAQ page 
(https://bitcoin.org/en/faq). Please check this website (https://coinatmradar.com) where 
you can find Bitcoin ATM all over the world.
List of encrypted files on your computer -