Ransomware Wiki
Ransomware Wiki

Popcorn Time Ransomware Overview[]

Security experts detected a new malware threat known as the Popcorn Time ransomware. At the time of its discovery it was still in development. 

Upon infection the virus not only encrypts target data and extorts the victim but also prohibits ordinary computer use by installing a screenlocker. 

Popcorn Time Ransomware Note[]

There are several samples and each of them has a slightly different ransomware note.

First example: 

Warning Message!!

We are sorry to say that your computer and your files have been encrypted,

but wait, don’t worry. There is a way that you can restore your computer and all of your files

06 Days 23:59:09 Hours

When countdown ends your files will be lost forever

You must send at least [BAMOUNT] Bitcoin to our wallet and you will get your files back

Your personal unique ID: [UID] Send [BAMOUNT] BTC to this address: [WADDRESSS]

After you’ve made the payment, you will get a code, please insert it here:

……………… [Decrypt]

Second example:


Restoring your files – The fast and easy way

To get your files fast, please transfer 1.0 Bitcoin to our wallet address

1LeiPgvh6S9VEXWV2dZTytSRd7e9B1bWt3. When we will get the money, we will

immediately give you your private decryption key. Payment should be confirmed in about

2 hours after payment made.

What we did?

We had encrypted all of your important images,

documents, videos and all other files on your computer.

We used a very strong encryption algorithm that used by

all governments all over the world (Encryption – Wikipedia).

We store your personal decryption code to

your files on our servers and we are the only ones that

can decrypt your files. Please don’t try to be smart,

anything other than payment will cause damage to your

files and the files will be lost forever!!!

If you will not pay for the next 7 days, the decryption

key will be deleted and your files will be lost forever.

Restoring your files – The nasty way

Send the link below to other people, if two or more people will install this file and pay, we

will decrypt your files for free.

https://3hnuhydu4pd247qb.onion.to/r/0e72bfe849c71dec4a867fe60c78ffa5

Why we do that?

We are a group of computer science students from Syria, as you probably know Syria is having bad

time for the last 5 years. Since 2011 we have more the half million people died and over 5 million

refugees. Each part of our team has lost a dear member from his family. I personally have lost both

my parents and my little sister in 2015. The sad part of this war is that all the parts keep fighting but

eventually we the poor and simple people suffer and watching our family and friends die each day.

The world remained silent and no one helping us so we decided to take an action. (Syria War in

Wikipedia)

Be perfectly sure that all the money that we get goes to food, medicine, shelter to our people.

We are extremely sorry that we forcing you to pay but that’s the only way that we can keep living.

Popcorn Time Ransomware Distribution[]

The Popcorn Time ransomware samples were not collected from live attacks and according to the initial security analysis the virus was still under development at the time of discovery.

However we presume that infection sources include the typical spam email campaigns, exploit kit attacks, browser hijackers and etc.

Popcorn Time Ransomware Removal[]

In-depth removal instructions and detailed technical information about the virus can be found on Best Security Search.