Slashdot Mirror
New Ransomware Offers The Decryption Keys If You Infect Your Friends (bleepingcomputer.com)
MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes:
"With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their decryption key (potentially).
While encrypting your files, Popcorn Time displays a fake system screen that says "Downloading and installing. Please wait" -- followed by a seven-day countdown clock for the amount of time left to pay its ransom of one bitcoin. That screen claims that the perpetrators are "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living." So what would you do if this ransomware infected your files?
While encrypting your files, Popcorn Time displays a fake system screen that says "Downloading and installing. Please wait" -- followed by a seven-day countdown clock for the amount of time left to pay its ransom of one bitcoin. That screen claims that the perpetrators are "a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living." So what would you do if this ransomware infected your files?
Your "friends" don't have to be human. Get two blank hard drives, or even VMs on your favorite cloud server, and make those your "friends". They will be locked forever, but you can just wipe them and not lose any data.
Still a nasty trick though.
Wipe and restore from backup. Nex!
aiding and abetting cyber-terrorists to decrypt your porn stash... gonna have a bad time :P
Sounds like a plot for the series...
So say we all
lol. Don't break an arm patting yourself on the back just because you don't use windows.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
I bet it blows your mind that the people they're fighting are also muslims.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
If you watch a film, do you have to constantly ask other people in the room what's going on? It kinda sounds like you must. To be this confused about real world stuff, I'd have thought you'd need to be about seven years old or something.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
There are a lot of people who backup to a network share, and others who keep only one copy of backups. Most ransomware will encrypt network shares as well. People who have only one copy are hoping nothing goes wrong at night; in the morning they'll have two copies pg garbage.
I created a backup / warm spare system based on read-only rsync pull to a remote server that keeps several de-duplicated copies, and makes each backup bootable as a VM. I called it Clonebox.
1) my boss
2) my mother-in-law
I see this as win-win-win situation.
I bet it blows your mind that the people they're fighting are also muslims.
Because...?
I was walking across a bridge one day, and I saw a man standing on the edge, about to jump. I ran over and said: "Stop. Don't do it."
"Why shouldn't I?" he asked.
"Well, there's so much to live for!"
"Like what?"
"Are you religious?"
He said: "Yes."
I said: "Me too. Are you Christian or Buddhist?"
"Christian."
"Me too. Are you Catholic or Protestant?"
"Protestant."
"Me too. Are you Episcopalian or Baptist?"
"Baptist."
"Wow. Me too. Are you Baptist Church of God or Baptist Church of the Lord?"
"Baptist Church of God."
"Me too. Are you original Baptist Church of God, or are you Reformed Baptist Church of God?"
"Reformed Baptist Church of God."
"Me too. Are you Reformed Baptist Church of God, Reformation of 1879, or Reformed Baptist Church of God, Reformation of 1915?"
He said: "Reformed Baptist Church of God, Reformation of 1915."
I said: "Die, heretic scum," and pushed him off.
Religious wackos can rant and rave about people who believe in false gods or worse no gods at all, but worst of all are those who believe in a "perverted" version of their own god and those who've abandoned the faith. Not sure what your point is though, I care about how many people want to kill me, how many other people they want to kill is of lesser concern.
Live today, because you never know what tomorrow brings
So, everyone should just make sure %AppData%\been_here and %AppData%\server_step_one exist? :)
Who is going to save me from this dangerous hack?
Rege Dit.
My ism, it's full of beliefs.
Probably restore from last full backup. You do have backups, right?
-- Gaxx
"a group of computer science students from Syria," and that "all the money that we get goes to food, medicine, shelter to our people. We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living."
This is a brilliant twist on malware. These are not people from Syria but rather a story concocted to try and have you help them. It's basically, it's an alternate version of the "Nigerian Prince" that needs money to bribe his captors to release him. Logically, a person in a warzone cannot exchange bitcoin for money or goods which makes the whole thing implausible from the start. I would bet what when they tear the binary apart, they'll find that it's been compiled for the Russian locale.
So what would you do if this ransomware infected your files?
A) wipe your system
B) load Linux instead of Windows
C) restore files from backups
Anons need not reply. Questions end with a question mark.
Do they mean "friends" or people I have in my address book. There's a difference; a very distinct one.
Teach a man to phish...
We don't believe in radical loony monotheistic religions from the middle east -- we're Christians.
Who is going to save me from this dangerous hack?
Me, for a nominal fee* of course
*payable in advance, non refundable, results not guaranteed
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Perhaps I can catch me some trolls. All I have to do is snooker them into going to the link and installing the ransomware on their machine. I'll just call it "a personal message from Putin on how you can help make Russia Great Again."
Seriously... it's like Amway. Or maybe it's the Herbalife virus.
Why isn't it mentioned anywhere the ransomware works on Windows and only on Windows? Is it to avoid another Windows-bashing? Or is it that obvious?
Slashdot, fix the reply notifications... You won't get away with it...
In the unlikely event this actually would happen, then I would restore.
My backups are secure. So I would restore from a backup. That wasn't too hard was it?
Backups work great for random acts of god but not necessarily for ransomware. It would be fairly trivial to create ransomware that slept a random amount of time before encrypting your files or even worse encrypt your files and then continue to function like normal for several weeks before alerting you. By that time, all your backups are also infected and even if you have a really old backup you won't have any of the recent stuff from that last several weeks or months since the initial infection. For all the people on here that are bragging about backups, even if you catch it the same day and restore it is still a huge pain and chances are if written properly it could easily be written in a way that the backups are also infected.
FOAD to the dirty crooks, break out the live USB Linux distro of gparted, wipe the drive with --sgdisk-zap-all /dev/sda then put in a new filesystem, reinstall my favorite flavor or Linux, and be glad i keep all my personal stuff on another USB thumbdrive
Politics is Treachery, Religion is Brainwashing
Based on the title I think we know exactly who is behind this Malware don't have to look farther then MPAA for the funding of this program.
Ask my government to nuke all Muslims.
But now I'm Swede so I'm not allowed to and we don't have any nukes anyway :D
If I ever met them, I WOULD KICK THEIR ASS. Lameness filter encountered. Post aborted! Filter error: Don't use so many caps. It's like YELLING.
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
Hey guys, any of you want to try out this fantastic new software I've just got, let me give you a link, you can download it for free.
"That's the way to do it" - Punch
You are the stupidest person alive if you think any money goes to help anyone other than the writers of the ransomware.
I'm a good cook. I'm a fantastic eater. - Steven Brust
I must have been napping. When did popcorn time change from a pirate movie operation to a malware site. Early this year I was shocked when I found the long time legitimate Vuze bit torrent client switched to a malware model. (they infect your browser so adds pop up and redirects your pages to yahoo sites-- they admit they did this on their blog as a revenue measure as though that makes it legit.)
Also when did Ozzy become and actor?
I don't understand. Your versioning file system can also be infected the same day?
Support my political activism on Patreon.
Backups work great for random acts of god but not necessarily for ransomware. It would be fairly trivial to create ransomware that slept a random amount of time before encrypting your files or even worse encrypt your files and then continue to function like normal for several weeks before alerting you. By that time, all your backups are also infected and even if you have a really old backup you won't have any of the recent stuff from that last several weeks or months since the initial infection. For all the people on here that are bragging about backups, even if you catch it the same day and restore it is still a huge pain and chances are if written properly it could easily be written in a way that the backups are also infected.
Of course its a pain, and no system is foolproof. My own personal backup system doesn't have offsite storage in a fireproof container inside a guarded vault. But there is that old saying about how perfection is the biggest enemy of good enough, which is the road you are on.
And since probably 80 percent of users have no backup at all, there is a lot of low hanging fruit before the bad guys get to multiple file backups and multiple image users.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
lol. Don't break an arm patting yourself on the back just because you don't use windows.
You have to admit, the installed user base of malware is best on Windows, those Mac Hipsters and Linux geeks are never going to catch up to you guys.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Shows you what scum the Reformed Baptist Church of God, Reformation of 1879 are.
The most dangerous drug
It would be kind of a massive giveaway when your files don't fit on the backup because so much has changed at once. Just doing a daily tar of everything is impractical in most cases so nearly every non-trivial backup system does incremental backups.
Since I do backups nightly on all home machines - format reinstall
no matter how good it is, it is human nature always wants to make things better
I have wondered about this for a while. These groups can't use cash due to it being easy to track in the mail and needing to receive the cash, They also can't do credit cards since that could be traced almost immediately and the account seized.
Does ransomware work on the scale it exists today or larger without crypto-currency? Right now I can't think of any way to have it work on a large scale without crypto-currency.
If ransomware really can't work without crypto-currency then this would have to be factored in as part of the cost of crypto-currency and it should be seriously looked at to decide if the costs are worth the benefits of the currency. I know we could not truly get rid of crypto-currency but if western countries did not allow any financial institutions to convert to or from crypto-currency and companies where banned from accepting it or paying that would effectively kill the currency.
Of course if ransomware could work fine without crypto-currency a different course of action is needed. I just see a systemic flaw right now that allows ransomware and attacking users is not going to fix the issue. Like all large scale issues if the flaw is systemic it must be fixed at the system level not at the user level. OS mitigation strategies should be seriously looked at also. Any application that tries to change large numbers of user files should be stopped quite quickly for suspicious activity.
Computer modeling for biotech drug manufacturing is HARD!
"So what would you do if this ransomware infected your files?"
I'd restore from backups.
Just cruising through this digital world at 33 1/3 rpm...
Now ransomware has gained a new delightful social aspect
Appears we're looking at the unholy spawn of ransom-ware and multi-level-marketing. Fetch holy water and an axe.
It sounds like someone has watched Ringu too many times.
When someone says, "Any fool can see
And there he is - I thought you were dead or something - I've not read your mindless drivel on here in ages! I'd say "welcome back" but you're not.
Host files only work if you're the original victim; if your friend gets infected, opts to go the "free" route, and sends you the binary directly (because you tell him the site won't load for you) you're still stuck. Even worse, you might be more screwed if the ransomware no cannot call home to verify payment after you do pay up.
Hosts files aren't a universal fix, bro. Sometimes you just need to keep offline backups.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Sounds a lot like a pyramid scheme -- this could be illegal.
But, I wanted socialized health insurance!
What? Windows only?
I don't know. Currently I don't have a spare physical machine on which I'm willing to test it in Wine.
My own personal backup system doesn't have offsite storage in a fireproof container inside a guarded vault.
And since probably 80 percent of users have no backup at all, there is a lot of low hanging fruit before the bad guys get to multiple file backups and multiple image users.
It's not about the quality of the backup. It's that in order to effectively propagate a virus needs to lay low for a while so that it can get to multiple systems. If it immediately bricks your system then it can't propagate. This means that by the time it announces to you that you are infected that you have likely been infected for quite a while so all your backups are also infected. If you're lucky and your backup files aren't already encrypted then it might be possible to clean the backup before you restore it but that's assuming a person even knows enough about the virus to know where it is hiding to be able to remove it from the backup before restoring.
It's that in order to effectively propagate a virus needs to lay low for a while so that it can get to multiple systems. If it immediately bricks your system then it can't propagate.
Great, now you've told the crypto malware guys how to really screw us. Thanks a lot, jerk!
WTB [sig], PST!!!
I created a backup / warm spare system based on read-only rsync pull to a remote server that keeps several de-duplicated copies, and makes each backup bootable as a VM. I called it Clonebox.
Do you have a HOWTO or similar? I want to set up something like this with a new server (best practices from the start, so I hope)
Right now I can't release the documentation because the company I used to work for sells it, with off-site backups to their cloud. If you remind me a month from now, I may be able to release something.
If the file is encrypted "data", you can restore it to yesterday. If it is binary executable, restoring it to a few months ago shouldn't be that painful. Then you checksum the executables, add in updates, and you're good to go.
For the virus to be effective it has to be executed at some point. So you restore those to last known safe date. The data, which isn't executed isn't going to be re-sourcing the virus any time soon.
Backups aren't an indivisible thing unless you are using MS's image backups -- which is why I only keep programs on my MS machines and keep the data on a separate linux machine. Sure, it's a pain to reinstall Win, but its certainly doable while saving your data.
So what would you do if this ransomware infected your files
Simple: I'd restore from my backups. Don't have backups? Then you are a fool.
Nice story, but you've kinda missed the point.
"The people they're fighting are other Muslims" - that's not the important bit. The important bit is the corollary: almost all the people who are in the front lines fighting against ISIS are Muslims.
They're also all humans, so we ought to kill all humans, everywhere.
How does the hosts file protect you before the threat has been discovered and its host and C&C domains have been added to the hosts file? There will always be a patient zero; and this encrypts regardless of whether it can talk to the C&C server, so you're double screwed if it can't phone home.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Or could I include an enemy or two as well? Can the "friends" include VMs of which I just took a rollback snapshot a few moments ago?
There are many copies and most of are offline.
Plus, they are encrypted themselves, and only mounted during the actual backup window.
So the malware needs to be really smart to catch that window, and then it has to be smart enough to catch the verify cycle.
Again, none of this matters. A virus doesn't need to know anything about your backups, your backup windows, your encryption or even whether the backups even exist to infect them. In order for a virus to be effective it has to lay low for a while so that it has time to propagate. It's the reason that ebola is not really a huge issue. It kills too fast. By the time that a virus announces to you that you are infected then likely all your backups are also infected. It just has to wait a few weeks for you to back up your system like normal. Now once you discover that the virus is there, the backups are static copies so if you're lucky they aren't encrypted yet but in order to prevent them from getting encrypted you have to locate all copies of the virus on the backup and remove them before you restore. If it's an older well known virus and you can identify it then you might get lucky and find a tool that can clean your backup. The other option would require a person to dissect the backup and figure out where the virus is hiding which is beyond the skillset of most users.
So what would you do if this ransomware infected your files?
I would find considerable pleasure in hunting down the instigator.