Popcorn Time targets Windows OS and is currently in-development so the distribution method is unknown. It does, however, offer victims a chance to “win” a free decryption key by spreading the ransomware using a “referral link” and infecting others. Once a system has been infected, it will first look for files such as %AppData%\been_here and %AppData%\server_step_one to see if the system has already been infected. If not, it begins encrypting files using AES-256 and appending .filock to targeted file names. Popcorn Time then drops ransom notes named restore_your_files.html and restore_your_files.txt. The ransom payment demand is 1 Bitcoin.
- Bleeping Computer provides more information about Popcorn Time here.
- The NJCCIC is not currently aware of any free decryption tool available for Popcorn Time.