grandeduc - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Unique threat offers victims ransomware decryption to spread infections

New unpublished ransomware includes a number of unique tactics including offering victims ransomware decryption keys in exchange for infecting more targets.

Ransomware is one of the biggest cyberthreats of the year and malicious actors are keen to prove they have more innovative approaches, including persuading victims to collaborate in actively spreading the infection.

A new ransomware variant called Popcorn Time was discovered on the deep web and a study of the threat has found a number of unique characteristics. According to a breakdown by Bleeping Computer, the ransomware has some standard features like encrypting files on a target system and offering the ransomware decryption key if a fee is paid.

However, a victim could also receive a ransomware decryption key by spreading the infection. If a victim shares a link to the Popcorn Time ransomware to two other people who pay the ransom, the original victim will get the decryption key. But if a victim inputs an incorrect decryption key four times, the ransomware will begin deleting files.

Brian Laing, vice president of business development and products at Lastline, the cybersecurity company based in Redwood City, Calif., said "ransomware is the vector for innovative small or solo actors right now in the malware universe."

"This is a new approach we have not seen before -- essentially giving victims the opportunity to become accomplices in the crime, in lieu of paying cash, in order to have one's files decrypted. One would only hope that this approach is ineffectual," Laing told SearchSecurity. "Most malware we have seen designed to strike a viral effect simply gain control of the users' contact catalog so this is a curious approach."

Bobby Kuzma, systems engineer for cybersecurity company Core Security based in Roswell, Ga., said ransomware is the "business model to beat" and profit-minded threat actors will find innovative strategies to generate income.

"The multilevel marketing-ish aspect of giving you a key in lieu of payment for spreading the infection is innovative," Kuzma told SearchSecurity. "It makes my inner black hat smile. Repugnant and morally bankrupt, but innovative."

Richard Henderson, global security strategist at Absolute Software, the endpoint security company headquartered in Vancouver, said he worried about vindictive people who may take advantage of this option.

"You could kill two birds with one stone -- infect people you have a grudge with, and get yourself out of jail (so to speak) at the same time." Henderson told SearchSecurity via email. "That situation aside though, there are a lot of unsavvy people out there who will blindly follow instructions, and will send out infection attempts to their entire social world. That's bound to hook new fish. The bottom line is that it turns the victims into the affiliates, who have been paid in the past to spread infections."

Travis Smith, senior security research engineer at Tripwire, the security software company based in Portland, Ore., said the consequences of trading two more victims for a ransomware decryption key could be more dire than people think.

"Infecting a machine you do not own is considered a criminal act in most parts of the world, and can be punishable by much more than the cost of the decryption keys," Smith told SearchSecurity. "The risk/reward is heavily in favor of the ransomware author for this scheme, which is what makes it an enticing endeavor for them."


Another unique aspect of Popcorn Time that appeared to be a tactic to get more victims to infect others was in the ransom note, which claimed those behind the ransomware are "computer science students from Syria" and all the money received would go to aid those affected by the war in Syria.

"Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people," the ransom note read. "We are extremely sorry that we [are] forcing you to pay, but that's the only way we can keep living."

Experts were generally intrigued by the ransom note, but said there was little reason to believe the promise of charity was anything more than a ploy to get more money.

Ben Herzberg, security group research manager at Imperva, the cybersecurity software vendor based in Redwood Shores, Calif., said, "This is not the first time that cybercriminals are using so called 'good causes' in order to justify their actions and, again, increase their ROI. The short answer is: It's not charity when someone's pointing a gun at you."

Henderson said there's no real evidence yet to prove it either way.

"You have to almost begrudgingly applaud their unique and novel way of attempting to earn some money," Henderson said. "To people struggling to survive in war-torn places like Syria, you can understand why they may resort to such extreme measures to get by. With that being said, it's just as likely that it's someone just making the claim in order to attempt to further convince victims to pay the ransom."

Barry Shteiman, director of threat research at Exabeam, the cybersecurity intelligence company based in San Mateo, Calif., said he didn't completely believe the note.

"If someone is going through the effort of hiding, writing code, building an infrastructure, there is profit involved. This may be a strategic marketing decision where the majority of revenue goes to actually help people in need, and that way you get more people to actually pay ransom," Shteiman told SearchSecurity. "However, even for nonprofits there is the 'cost of doing business' so the hacking group might just say 'this will help us get better results even if our own profit is lower, so let's do it this way.'"

Smith said the answer was simple: "Donate, don't decrypt."

"Without a paper trail it's tough to validate claims that profits from a ransomware, or any cybercriminal campaign are going anywhere but the perpetrators pockets," Smith said. "If you are concerned with the needs of others, it's best to donate directly rather than rely on the honor of a criminal."

Next Steps

Learn more about when paying the ransom may sometimes be the only option.

Find out how to prevent ransomware or recover from a ransomware breach.

Get info on how CryptXXX ransomware spreads through legitimate websites.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal