Back

Popcorn Time Ransomware Introduces Pyramid Scheme for Free Decryption

Severity: Medium (Score: 54.8)

Sources: www.wired.com, www.bleepingcomputer.com, Digitaljournal, www.theguardian.com

Published: 2026-06-06 · Updated: 2026-06-06

Keywords: popcorn, time, ransomware, free, malware, discovered, decryption

Severity indicators: ransomware, malware

Summary

A new ransomware variant named Popcorn Time has emerged, discovered by MalwareHunterTeam. This malware offers victims a chance to avoid paying a ransom by infecting two other people, who must also pay the ransom for the original victim to receive a free decryption key. The ransomware encrypts files on the victim's computer and demands payment, typically in Bitcoin. If the victim enters the wrong decryption key four times, the ransomware may delete their files, although this feature is still under development. Popcorn Time is currently in the wild, posing a credible threat to users. Security experts are uncertain about the effectiveness of its unique referral mechanism for spreading infections. The malware is not related to the legitimate Popcorn Time streaming application. Users are advised against paying ransoms, as there is no guarantee of file recovery. Key Points: • Popcorn Time ransomware allows victims to avoid ransom by infecting others. • The malware may delete files after four incorrect decryption attempts. • Experts are skeptical about the effectiveness of the malware's referral strategy.

Detailed Analysis

**Impact** Popcorn Time ransomware targets individual users by encrypting files in common directories such as My Documents, My Pictures, My Music, and the desktop. The ransom demand is approximately one bitcoin (~$773). The malware’s unique pyramid scheme incentivizes victims to infect others, potentially increasing infection rates across multiple sectors and geographies, though no specific numbers or industries are reported. Data at risk includes personal and business files with targeted extensions, encrypted using AES-256. **Technical Details** The ransomware is delivered via email or compromised websites and encrypts files appending a .filock extension. It uses AES-256 encryption and displays a lock screen with a unique victim ID and bitcoin address. The malware includes a referral system where victims receive a free decryption key if two referred victims pay the ransom. The code contains unfinished functionality that may delete files after four incorrect decryption attempts. Infection checks for prior execution using files in %AppData%. The ransomware communicates via a TOR server hosting ransom notes and referral links. No CVEs or specific infrastructure indicators are provided. **Recommended Response** Defenders should monitor for the creation of files with the .filock extension and the presence of %AppData%\been_here or %AppData%\server_step_one files. Block known TOR server domains associated with the ransomware’s ransom notes if identified. Educate users to avoid clicking unknown links, especially those received via email or suspicious websites. Maintain up-to-date backups of critical data and avoid paying ransoms due to uncertain decryption guarantees and potential file deletion after failed attempts. No patches or CVE mitigations are currently applicable.

Source articles (4)

  • Popcorn Time ransomware encourages you to infect your friends — Digitaljournal · 2026-06-05
    The malware is called Popcorn Time after the entirely unrelated piracy app. It was discovered by the MalwareHunterTeam research group and has a unique characteristic that differentiates it from other…
  • New Ransomware Victims Popcorn Time Malware — www.theguardian.com · 2026-06-06
    Popcorn Time malware offers users free removal if they get two other people to install link and pay A new ransomware variant has been discovered using an innovative system to increase infections: the…
  • New Scheme Spread Popcorn Time Ransomware Get Chance Of Free Decryption Key — www.bleepingcomputer.com · 2026-06-06
    Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for t…
  • Popcorn Time Ransomware — www.wired.com · 2026-06-06

Timeline

  • 2026-06-05 — Popcorn Time ransomware discovered: MalwareHunterTeam identified a new ransomware variant that encourages victims to infect others for free decryption.
  • 2026-06-06 — Popcorn Time ransomware details published: BleepingComputer reports on the unique features of Popcorn Time, including its referral scheme and potential file deletion feature.
  • 2026-06-06 — Guardian reports on Popcorn Time malware: The Guardian highlights the pyramid scheme aspect of the ransomware and the risks associated with it.

Related entities

  • Ransomware (Attack Type)
  • txt.it (Domain)
  • Petya (Malware)
  • Popcorn Time (Malware)
  • Telecrypt (Malware)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • Tor (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed