Kevin Stear

Popcorn-Time Ransomware

Blog Post created by Kevin Stear Employee on Dec 16, 2016

During the week of Dec 12th, FirstWatch took a look at popcorn-time ransomware and its novel approach for a 'viral' attack vector...


Popcorn-time executables function much like other typical ransomware, encrypting important files on a victim's machine and demanding 1BTC payment for a decryption key.  Where popcorn-time deviates from typical ransomware campaigns, is it's attempt to exploit the very worst of human nature...  By that I mean, victims who forward a tor2web proxy link (e.g., https://3hnuhydu4pd247qb[.]onion, aka a popcorn-time download site) to 'friends and family' can receive a free decryption key if two of their 'referrals' are infected and pay the 1BTC ransom.  It's like a bad chain letter; yet, this approach gives popcorn-time a viral component to its attack vector that significantly extends both the longevity and fiduciary return of its campaign.


As part of the effort to evaluate the ransomware's operational infrastructure, we developed a basic yara signature (see figure 1) for popcorn-time and pulled hashes via VirusTotal retrohunt.  


Figure 1: popcorn-time yara signature

popcorntime yara


This signature (admittedly somewhat basic) successfully returns popcorn-time VirusTotal submissions from November and early December, which were observed with typical network callbacks to downloader and malvertising domains.  For example, md5 383c368ae33c530da36ffae0bceec80e was active at the end November and observed with DNS lookups and a TCP connection out to popcorn-time-free[.]net.  It is hypothesized that many of the popcorn-time related domains are 302 redirecting traffic to tor2web download sites for victim infection.  The maltego snapshot below is representative of the campaign's IP and Domain infrastructure (with enrichment from pDNS, certificate and domain registrations, open source intelligence, etc) as it relates to these earlier VirusTotal (VT) submissions. 


Figure 2: popcorn-time infrastructure

some Popcorn Time infrastructure...


During the analysis of this segment of operational infrastructure, we gleaned approximately 300 indicators of compromise (IOCs) that have been pushed into Live under the FirstWatch C2_IPs and C2_DOMAINs (threat.source = 'rsa-firstwatch', threat.category = 'crimeware', and threat.desc = 'popcorn-time').  Although not pictured above, it's worth mentioning that a this infrastrucutre has some times to past Conficker and clickjacker campaigns (e.g., JS/Faceliker deliveries from 1e100[.]net).


In somewhat stark contrast, evidence of popcorn-time's viral component begins to appear in VT submissions during early-to-mid December, where related hashes were observed with absolutely no network connections (e.g.,  It is believed that this second wave of submissions is representative of 'referral' victims, who may have clicked on a tor2web link emailed to them by their once favorite now dirtbag cousin.  


An important note on tor2web proxies, popcorn-time joins recent Cerber and EK campaigns (e.g., Cerber) that increasingly leverage tor services, an obvious step towards obfuscation from security researchers and conventional network defense approaches.  While FirstWatch is aggressively researching capabilities to better mitigate the evolving use of Tor infrastructure in crimeware, the interim recommendation is to block all traffic to and from .TOR and .ONION domains.


Thanks for the continued support from Michael Sconzo, Ray Carney, and Rotem Salinas, and a special thanks to MalwareHunterTeam @malwrhunterteam for all the DMs.



RSA FirstWatch banner