Ransomware Meets Multi-level Marketing

A new ransomware, Popcorn Time, gives users the option of infecting others in lieu of paying the ransom.

Related: a good general article on ransomware.

EDITED TO ADD: Slashdot thread.

Posted on December 12, 2016 at 6:51 AM • 51 Comments


Randy StegbauerDecember 12, 2016 7:24 AM

Nasty! People are going to find out who their friends are.

However the most interesting part to me is their "Why we do this" section. It explains that they are from Syria and hungry and this is how they make money to live.

So...think of this as a donation. If they were a 501(c)(3), I'd be all in. :-)

Or does all ransomware have some social justice explanation?

JohnDecember 12, 2016 7:37 AM

However the most interesting part to me is their "Why we do this" section. It explains that they are from Syria and hungry and this is how they make money to live.

Color me skeptical. I can think of no reason why someone who's deploying ransomware would try to tie it to a humanitarian concern, unless they're trying to foment outrage against those "humanitarian" interests that have taken control of the user's computer.

More likely this is a group that is trying to discredit and undermine the cause of the Syrian people. All signs point to Russia.

arfnarfDecember 12, 2016 7:46 AM

Well, perhaps they didn't think it all the way through.

In the list of file extensions that get encrypted are .pst .ost and .eml, so how are you going to send a link to your "friends" if your email has been encrypted?

brigade lolliesDecember 12, 2016 8:35 AM

Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time

If it was discovered by MalwareHunterTeam ( https://twitter.com/malwrhunterteam ) the day before the bleepingcomputer.com article was written, I guess MalwareHunterTeam are responsible for the choice of name?

It should be noted, that this ransomware is not related to the Popcorn Time application that downloads and streams copyrighted movies.

Are MalwareHunterTeam (1) mindlessly propagating a name found in the source, or (2) did they make the name up themselves?

If (2) is the case, is the smear unintentional, or on purpose?


Color me skeptical [about the totally superfluous Syrian backstory].

Me too, and everyone else with a working bullshit detector.

All signs point to Russia.

That is one ace Paul Krugman impression!

Poe's law, exhibit A.

Clive RobinsonDecember 12, 2016 8:55 AM

@ John,

More likely this is a group that is trying to discredit and undermine the cause of the Syrian people. All signs point to Russia.

Or the US, or Israel, or France, or China, even the antipodeans, etc etc etc. I could make a case for it being GCHQ as "the dentist" is married to an English woman...

Hay maybe you work for the DNC, FBI, CIA or one of the other "out on their ear" incumbrants...

What ever the claims you need more evidence than comes from a game of "spin the bottle" as played by a bunch of punch drunk politico's and the ludicrous US MSM talking heads...

Some GuyDecember 12, 2016 8:57 AM

So does suggesting names create an opportunity for a second level of ransom. Example: We will notify the contacts that you provided to us unless you pay more.

brigade lolliesDecember 12, 2016 9:25 AM

I hastily wrote:

Are MalwareHunterTeam (1) mindlessly propagating a name found in the source, or (2) did they make the name up themselves?

If (2) is the case, is the smear unintentional, or on purpose?

Okay, so I gather from a comment in the slashdot thread that it is the first case, not the second; MalwareHunterTeam did not make up the name, it's in the source.

Still, names are cheap, and serve their primary function best when unambiguous. Why propagate an obviously ambiguous name? If the ransomware authors named a file "firefox.exe", would people seriously call it the "firefox" ransomware?

I hope that somebody, in a position to do so, has the presence of mind to coin a less ambiguous one.

@Clive replied to one @John, an enthusiastic hunter of Russian dust-bunnies under the bed:

Hay maybe you work for the DNC, FBI, CIA or one of the other "out on their ear" incumbrants...

Or, alternatively, maybe they are simply one of the dancers who's fallen prey to the seductive rhythm of the World's most expensive Wurlitzer. The CIA doesn't drop its disposable nickels into that thing for nothing, you know.

ThesixDecember 12, 2016 9:37 AM


this is in fact a test on smart thinking and solidarity. If I had an infected machine and would partner with two friends we all would pay 2/3 of a bitcoin. So it's actually a discount ... ;)

ThenTheir'sVM_STRONGDecember 12, 2016 11:15 AM

What about starting a VM on your local network, then infecting that VM.
This saves the files, if the deal is honest(Which it probably won't be).
Then, delete the infected VM.

Jesse VivianoDecember 12, 2016 12:24 PM

@ThenTheir'sVM_STRONG: That won't work. Those soon-to-be-former-friends you cause to be infected must pay their ransom before the masterminds give you the key.

TedDecember 12, 2016 12:25 PM

US-CERT released the alert “Ransomware and Recent Variants” on March 31, 2016 -- last revised September 29, 2016. Preventative measures are reviewed. [1]

Individuals and organizations are not encouraged to pay the ransom and are directed to report instances of fraud to the FBI immediately via the Internet Crime Complaint Center. [1] [2]

According to the IC3’s 2015 Annual Report, the IC3 received 2,453 ransomware complaints in 2015. [3]

The US government’s interagency technical document on ransomware provides more detailed preventive measures, business continuity considerations, steps to take if you become infected, law enforcement contact guidance, summaries of common of ransomware variants, and links to federal government resources. [2]

The FBI released a Public Service Announcement for ransomware on September 15, 2016. They provide a list of details that are requested when completing a report. [4]


[1] US-CERT Alert (TA16-091A) Ransomware and Recent Variants

[2] US-CERT Security Publication on Ransomware

[3] Internet Crime Complaint Center

[4] FBI Ransomware PSA

Martin WalshDecember 12, 2016 12:28 PM

I thought Ransomware was a reference to paying lobbyists to influence American politics.

The Russians didn't pay so they're in the doghouse. But Mexican billionaire Carlos Slim is OK because he paid a ton of money to influence politics via the New York Times. And the Washington Post? Same deal - sanctioned and protected web of lies hiding behind "freedom of the press".

So you must pay lobbyists a lot of money Vladimir if you want to influence American politics. Don't try to sneak in.

The security industry is the same - it has nothing to do with cryptography.

Mic FlexDecember 12, 2016 12:45 PM

The war-struck areas of Syria lack any means of getting food in at all. There's effectively no food from outside to be had – not for any money.

Ross SniderDecember 12, 2016 1:58 PM


"More likely this is a group that is trying to discredit and undermine the cause of the Syrian people."

Meh, I like the rest of the comment, but I don't know about this. Remember the Syrian Electronic Army from a while back. Can we infer that SEA was the CIA in order to discredit the UN recognized government of Syria?

Not everything is a black flag operation.

Granted, I don't believe that the ransomware is from Syrians suffering from the proxy war.

My "more likely" instinct isn't to immediately name the Russians, but to name the malware authors (with the most likelihood ordinary criminals from somewhere) trying to extract more money by providing rationalization for its victims, who are making a decision to pay the ransom or not. 409s and other scams from around the world use similar psychological tricks, and blaming Russians is by definition and in practice a conspiracy theory.

Ross SniderDecember 12, 2016 3:32 PM

@Mic Flex

The Syrian government held areas are not in particular want of food - or rather have access to some food trade.

Western political news will blame the starvation of guerilla held areas on the Syrian government not allowing international assistance to the guerillas, but reality is always much more complicated. Areas with supply lines closed due to attacks by the guerilla forces were also blamed on the Syrian government in these same outlets, and when war fighters have commandeered food in starving areas, tightly controlling it and using it for the war effort, they have not been reported on as an aggravator of civilian starvation.

Unfortunately, as is the case with war, neither side benefits from the other side being well fed. In the long run, the resolution of the proxy war is what will enable starving citizens to eat and that would require some real hard moral reflection on the account of supporting powers and proxy aggravators. A flush of food into the country, while I hope for all innocent people to get food, needs to be discussed in terms of the end of the proxy war - as otherwise, like other supplies, influxes of food will extend the proxy war.

Humanitarian aide has a specific definition in this arena, and it includes the concept that aide must be given to all warring parties and not take 'sides'. Unfortunately, there is not much hope for international aide that isn't political and geostrategic, and thus not able to be labeled humanitarian aide.

International aggravators need swallow hard and realize that they share the moral burden of the starvation and infrastructure destruction in Syria, and need lose sleep over all attempts to achieve military objectives through strategic resupply until they are able to make small personal sacrifices for the greater good of reaching a conclusion of the war and wellbeing for the country.

albertDecember 12, 2016 5:18 PM

"There is no political solution.." - Sting

Everything politicians touch turns to shit.

Russia doesn't prosecute anyone who hacks foreign targets; they use them to hack Russian strategic foreign targets. It's squid pro quo!

We need enemies like Russia and China to keep the war effort going. People will begin to suspect fowl play if there are no roosters in the yard.

Israels plan always has been to keep the turmoil going in the ME. By their own admission, it keeps them safe. The endgame is the elimination of all Palestinians and all ME countries turned to rubble.

Russia and China will continue to resist US pivot plans. State Dept psychopaths will continue to up the ante. There's a wave of Far Right movements here, in the EU, and world wide. This does not bode well for world peace.

The handwriting is on the wall, and has been for a long time.

I was kinda hoping someone in the EU would wake up before it's too late. Apparently, it won't happen here.

No one really gives a rat's sorry ass about Syria. No one.

. .. . .. --- ....

Clive RobinsonDecember 12, 2016 5:33 PM

I guess it needs to be said, for those not as old and grizzled as some of us ;-)

    45 seconds to be owned.

Used to be a comment made about connecting a Microsoft OS machine to the Internet (a kind of rewording of the Iraq invasion dodgy dossier claim, that unlike the dossier had a degree of reality to it...)

The reality is that it's actually a numbers game, but you should expect any commercial grade OS (MS / *nix) that's not been hardened to get owned at some point, it's only a question of "when" not "if".

Based on the assumption you will get "owned" sooner rather than later you have to ask two questions,

1, How can I reduce the effects.
2, How do I recover from the effects.

We've been answering those two questions for quite a few years now, but for some reason people don't want to listen... (hint : not listening and acting is why ransomware works).

So just to waste my -electronic-- breath again ;-) look into using

1, Live CD/DVDs.
2, Regular backups.
3, Gapped systems.

The first is not perfect by any means, as the higher skill level attackers "could" overwrite Flash ROM in the system, however if they are your problem then "energy" gapping is what you should be doing. For many just the use of a Live CD/DVD will put them well up the tree from the low hanging fruit (which is what by far the majority of attacks are about).

The second likewise is not perfect due to the "Spray-n-Pray" style of "personal" computer usage. It takes a modicum of skill to set a computer up correctly, and a fair degree of discipline to do the backups reliably.

But my advice to most people for getting on for a couple of decades now is variations of the third option... At the simplest level if you can aford it, is have one "junker" computer for the Internet, and one for private use that never gets connected to the internet or other communications network (not even for patching the OS or Apps). Preferably make the junker a "diskless" machine and run a live CD/DVD[1]. Interestingly the small single board computers like the Raspberry Pi are usually of sufficient power to do a lot of your run of the mill private stuff on and are in the "pocket money" price range.

But even if you don't go down the live CD route, the upshot is unlike many embedded devices --like routers-- or worse IoT devices personal computers are in the main fully recoverable "IF and only IF" you have put some effort into taking a few basic "self help" steps (and the machine remains under warranty).

[1] Live CD's used to be easy, in that they were on the front of many computer magazines. Sadly they are getting harder to find, and downloading images from the Internet carries a set of risks that are not easy to mitigate.

John SmithDecember 12, 2016 6:42 PM

Clive Robinson:

"Interestingly the small single board computers like the Raspberry Pi are usually of sufficient power to do a lot of your run of the mill private stuff on and are in the "pocket money" price range."

This is somewhat O/T for this thread. Please excuse.

For a while now, I have been thinking of using Raspberry Pi modules as standard building blocks in my home network. They would find use as routers, print servers, wifi access points, traffic analyzers, terminals, and so on.

Maybe, one day, use a Pi cluster to run virtualized OSes on top of a hypersupervisor like Xen.

Does the Raspberry PI hardware have some Intel-style built-in backdoor ("management engine"), that would compromise the security of such a system?

Billy BobDecember 12, 2016 8:12 PM

Any information on how the researchers found it when it's "in development"? Is it live? Is it like a .pdf or .exe you can stick on a flash drive and run on someone else's computer?

AnonDecember 12, 2016 10:50 PM

Syria is a CF of propaganda. Until it is acknowledged that the West is perpetuating the war and supporting terrorists ("rebels"), it will never end.

In the time of encrypting ransomware, the best defence is offline (as in removable storage media) backups. If the system should then be infected, nuke the OS and start over.

The only people who lose to this are those who don't know how to copy/paste.

keinerDecember 13, 2016 3:07 AM

@ John Smith

RE: Raspberry

Hardware backdoors? Who knows... Nowadays more likely than not. Stay away from raspian cr*p, try something like opensuse TW or suse SLES. openWRT is supposed to run on raspberry hardware, while opnSense only runs on a raspi 1 (with 100% CPU-load with a WAN and a LAN interface).

I use them as Swiss army knives for local mailservers (status emails of routers etc.), NAS, running Wireshark, home control (aka IOT :-D ) with pilight software. Fun!

As I don't use them for browsing etc., they have no access to the internet by default. And keep them in their own network.

keinerDecember 13, 2016 3:09 AM

PS: Buy Raspi 2B (the new! one, with the same CPU as the Rapi 3B) and NOT the Raspi 3B, and you don't have to mess around with Bluetooth and Wifi... ;-)

DroneDecember 13, 2016 5:29 AM

Hah, no imagination. Popcorn Time is a dubious set-top-box/media-center plug-in (for e.g. Kodi). I think there was an actual piece of hardware associated with Popcorn Time at one point. If they're going to try and use my tv-box as malware vector, good luck - the nasty thing is bastioned. But there are millions of idiots out there that don't know any better! I'll watch out anyway. I don't have any friends, so I'd have to pay :-\

Fabius the DelayerDecember 13, 2016 8:31 AM


If you have evidence, then present it. Otherwise, be quiet and let the adults discuss this matter.

CTOguyDecember 13, 2016 6:36 PM

I doubt the Internet infrastructure in Syria supports reliable Ransomware payment transaction monitoring / receipts.

Mic FlexDecember 14, 2016 2:40 AM

@Ross Snyder: useful information and good food for thought. Excellently put, thankyou.

JamesDecember 14, 2016 4:37 AM

Someone may infect their friends, decrypting files, then getting same infection from their friends again.

JamesDecember 14, 2016 4:42 AM

Again regarding Popcorn Time ransomware It's good getting some additional victims, but not millions because if a ransomware team infects a small amount of people and then wait that they infect the world, they can close the business.

TJDecember 17, 2016 2:59 PM

Wait till a botnet owner starts offering bitcoin.. Hundreds or thousands of malware actors turn in to millions or even hundreds of million.. The "FUD crypter" market will boom and AV vendors will finally have to give their subscriber-bases what they pay for an make HIPS engines that are actually intended to be effective..

What am I saying? The economy is great and nobody needs currency.. Especially people in Euro-Asia.. They just write most of the botnets and mine most online-games there for entertainment.. The fifteen to forty percent unemployed in the US are too moral and that stuff only happens in Russia like US media repeatedly states..

TJDecember 18, 2016 12:56 PM

@r: If they went broke it'd only be when computing power and unique IP addresses had no value..

If you have tens of thousands of zombies twenty-five lines of javascript can have you retired for life inside four months.. It's kind of the reason they bother going through the production process of building botnets(mail campaigns, exploit kits, rootkits etc..)

If you take their wallets they just mask the next ones better and do an update from a C&C, and they have big-capital again withing a matter of hours..

Ever seen what a senior software engineer makes in Russia or Baltic nations? They have plenty incentive to break the law.

rDecember 18, 2016 1:17 PM


Oh, I know. That's why I dropped the link about the jpmorgan hacker being handed over to US authorities.

I think it was a timely reminder that there's a towline to pull.

TJDecember 18, 2016 1:44 PM

@r: The industry will do nothing to stay ahead of this.. Watch at some point some botnet owners will start BTC bounties for propagation and there will be a crisis inside three-months. AV vendors will respond with RCE blog posts and signatures and it'll do nothing just like now where you can still write malware in .NET with no advanced methods and get past kaspersky, norton, MS, and eset HIPS&signature engines..

rDecember 18, 2016 1:59 PM

Which is yet another reason why I am not appreciative of them or the situation we find ourselves in, it really is coming to a head.

Nice foxhole guys.

The whole international community needs to come together and expunge hactors like this, it's sick.

But who am I to judge? I'm likely just as maligned as the next man, why not I'm already blacklisted?

Anyways, this is why I get into yadda yadda yadda moments with the few people I still do computer work for.

The bounties aren't entirely scary, we can flip the script on them quickly if they're ever that stupid - was it you that was talking about a virtualized escape clause here? (I'll scroll up)

The statement about my virtual hand was an allusion to that, we could drain them very quickly with emulation.

rDecember 18, 2016 2:00 PM

But, they're already working on models immune to that type of attack - there's authors out there providing cuts on the action.

If I caught somebody distributing ransomware? I'd prolly end up with an assault charge.

rDecember 18, 2016 2:20 PM

'Ransomware crimewave is growing' (2016)

'Bitcoin is evil' (2013)(opinion)

There's an article within the last month about bitcoin's insuppressability in the face of centralized banking - as an evasion tactic against sanctions. It's borderless, while I think it's great what it's doing in Argentina and Africa and the Ukraine there are measurable downsides for stability. But I don't understand economics politics or bitcoin well enough to weigh in beyond that.

ISIS tried using it recently for solicitation of financing, I'm not particularly happy about how savvy they are turning out to be considering their armed drones.

TJDecember 19, 2016 1:48 PM

@r: Almost all ransomware(which is just software written in **anything** that keeps a RSA private key with it's HWID on a server(anyone got five-minutes and a mailing list?)) slips past 100% of AVs.

What companies like Kaspersky and Norton and Eset and others call a "sandbox" is hilarious. You put a simple .NET password stealer through a $300.00 "crypter" and you get 89%+ infection rates even without exploit kits or root kits..

But.. The industry **is** starting to see how "secure coding" in volume is a retarded concept simply because human element, and moving to putting remote-vectors in sandboxes while they do LTS. Google does this great with Chrome. Something like Sandboxie should just be in OEM.

TJDecember 19, 2016 1:52 PM

BTW this blog is putting "?nc=40#comment-6741121" after comment submission it should be "#comment-6741121" else it simply doesn't work..

rDecember 19, 2016 1:59 PM


Sandboxie is imperfect, I used to use it's api to infiltrate games.

It's good cover for games with things like warden.


TJDecember 20, 2016 2:31 PM

@r: Sandboxie is like one of four'ish generic sandboxes that even exist, and has the best dev-support I've seen. I think the others sub-contract stuff out to off-shore software houses who have some textbook WDK developers.

Linux jails and Windows ACL sandboxing are their only competition and those have no fine grained policy support.

I think I've seen **one** vuln in it since it launched, but maybe I've missed a few. 99% of malware developers are driver-illiterate and just copy and paste UAC and SSDP snippets off the internet and barely get them working..

rDecember 20, 2016 5:42 PM

I really like SandboxIE, but like Clive was saying about buildings on sand - something that is SandboxIE aware knows to shift it's aim to the host os.

It is VERY easy to be SandboxIE aware, it relies on library injection and patching (last time I checked) thankfully like you said most ransomware of game-coin style attacks aren't.

You really think the others are offshored? Lame!

That's a crime of passion imo.

rDecember 20, 2016 5:51 PM

relies, is a strong word. There's a subsystem driver installed too, but there's still tell-tale-process-signs of it's use.

But yeah, I don't think I've ever seen a -direct- escape?

rDecember 20, 2016 5:53 PM

You can make-use-of the user-level library injection to scrub the signs I was aware of, which is where it was fun for injection and multiple-instantiation.

rDecember 20, 2016 6:04 PM

DeepFreeze(?) however allowed a higher resistance to persistance as a whole-disk solution.

It's been a very long time 4 me.

TJDecember 21, 2016 12:11 PM

Deepfreeze is very old. I actually worked for Faronics for a short stint. It's just a volume integrity solution. It basically does cryptographic verification of boot-chain and volume by loading from the MBR and mapping volume loader and it's driver itself after. Once upon a time they had a major contract with the public school systems in the US.

You could defeat it with DKOM attacks and patching MBR, or offline. Schools had to lock down I/O to prevent offline attacks.

I'd actually use it with sandboxie if I held vital data on a Window system.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.