The Ransomware before Christmas

The holidays are upon us and, as carols go, ‘tis the season to be merry and spread the cheer. Even hackers cannot resist the compelling call of Christmas, granted, they do tend to express it in the most peculiar of ways. This December, a new ransomware dubbed ‘Popcorn Time’ offers victims the gift of free decryption. But cybercriminals are not off Santa’s naughty list yet.

We can definitely say that ransomware has earned the title of ‘Most Dreaded Cyber-threat’ over the last few years. More than 750 000 computers were infected by one of the many cousins of CryptoLocker in 2015, with an increase of 30%, noted especially during Christmas holidays and compared to previous quarters. But despite these alarming numbers and the countless efforts of providers to convince users of the benefits of a proper cyber-hygiene, 2016 didn’t turn out any better. There’s always going to be that one person who will click on a suspicious link or download an unknown attachment from an untrusted source – if no other mechanisms are in place to prevent it from happening.

This year, almost 50% of all American businesses fell for the ransomware trap, while $209 million was transferred to cybercriminals in the first quarter of 2016 only. With such an enormous revenue, the business of taking one’s personal data hostage is now attracting more and more hacker wanna-be’s. Compared to the entire array of hacking tools employed by cybercriminals, ransomware is by far the most preferred by those looking to obtain quick revenues.

Malware tops the naughty list

This week, the MalwareHunterTeam uncovered the existence of a devious ransomware that uses the name of the popular streaming software ‘Popcorn Time’ in order to fool users. But that’s nothing compared to what it does next. Indeed, the modus operandi of this particular cyber-threat has less to do with streaming and much more to do with a twisted sense of holiday spirit.

Like just about every ransomware, Popcorn Time starts by encrypting your personal data using an encryption key known only to its creators. In an excess of generosity, it then gives users the opportunity to seize this very key for free. You’ll probably ask yourselves: ‘How is it increasing or even maintaining its profit levels if it’s not charging victims with a financial penalty?’. Now, there’s the interesting catch: in order to save their data, users have one week to decide if they are either willing to pay the price (1 BTC estimated to around 700 euros) or infect two of their contacts, which in return would earn them the decryption key.

Image source: Bleeping Computer

By including a referral link to spread the infection unto others, the masterminds behind Popcorn Time just increased the probability of recipients clicking on an infected link. It’s Kenny, I know him, he won’t send me… uhm, oh, wait, what’s this? It appears Kenny betrayed his own peers. So much for ‘only open messages from trusted sources’.

Quick mention though: this trick only works if those very same acquaintances pay the ransom. In other words, if you pass the malware on, you’re not off the hook just yet. They say sharing is caring, but this type of holiday charity definitely doesn’t apply.

For those of you that opt for the middle-way, know that the inbuilt failsafe makes it so that, if the wrong decryption key is entered into the system more than four times, you will witness all of your files being wiped out from your computer. So it’s play by the rules or don’t play at all.

Jingle bell hack, I want my data back

Researchers discovered that Popcorn Time uses the same AES encryption as other well known cyber-threats such as TeslaCrypt (the famous ‘gamer’ malware that handed over the encryption key and even apologized to its victim last May). But that’s really not what matters here – what matters the most is how Popcorn Time how it exploits its victims, forcing them to adopt a deviant behavior. Faced with infection, the malware pushes the user off the edge, turning the abused into an abuser.

Snippets of Popcorn Time’s code were shared on forums hosted on the TOR network. Going from there, researchers were able to determine that the ransomware is actually still under development. They also learned that, at the present time, it has a maximum capacity of encrypting up to 500 files at a time, but this is subject to change in the near future.

You can tell when a file was encrypted if it has the .filock extension appended to it. Here's the list of extensions of targeted files:

Image source: Bleeping Computer

Once installed, Popcorn Time starts dowloading various images to use as as a cover up and begins the encryption process. At the time we are writing this article, the malware targets all files located in My Documents, My Pictures, My Music, and the desktop.

While encrypting yours files, the malware displays one of the previously downloaded images, loading a fake ‘Downloading and installing’ screen. Drawing its inspiration from the Fantom ransomware, which infects users by pretending to be a Windows Update, Popcorn Time disables all keyboard shortcuts in order to simulate a legitimate update installation. One would say that the hackers have got it all figured out, except for one tiny detail: why would a streaming installer push for a Windows Update? Hmm…

A Cybersecurity Christmas Challenge

At the present time, we cannot say with exact certainty who is behind this malware, as the message included in the ransom note could very well be a scam set-up to appeal to sensitive users:

‘We are a group of computer science students from Syria, as you probably know Syria is having bad time for the last 5 years. Since 2011 we have more the half million people died and over 5 million refugees. Each part of our team has lost a dear member from his family. I personally have lost both my parents and my lithe sister in 2015. The sad part of this war is that all the parts keep fighting but eventually we the poor and simple people suffer and watching our family and friends die each day. The world remained silent and no one helping us so we decided to take an action. (Syria War in Wikipedia)Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we forcing you to pay but that's the only way that we can keep living.’

Know that there is no concrete evidence that money is actually being transferred to a Syrian fund. For all we know, you could very well be funding ISIS. Yes, it’s Christmas and sob stories are now everywhere, but you shouldn’t let your guard down just because you’ve had a little bit too much eggnog.

Suppose you’re infected with Popcorn Time, you will obviously be facing two major dilemmas:

1. Do you pay the ransom or do you pass it on to your contacts, at the risk of infecting your friends or your colleagues?

2. Do you dare trust the same hackers that blackmailed you to recover your data or do you ignore the ransom and live with the consequences?

Whereas the holidays are so heavily advertised as a time to be kind and understanding with each other, Popcorn Time pushes you to become the Grinch of online Christmas. In a world of ideal cybersecurity, people would start preparing for the eventuality of such an incident before push comes to shove. In the real world, we can only hope that they will choose to share the joy and not the malware.

Link:

https://www.reveelium.com/en/the-ransomware-before-christmas/