Any user who finds themselves infected with the Popcorn Time malware (named after, but unrelated to, the bittorrent client) is offered the ability to unlock their files for a cash payment, usually one bitcoin ($772.67/£613.20).
But they also have a second option, described by the developers as “the nasty way”: passing on a link to the malware. “If two or more people install this file and pay, we will decrypt your files for free”.
The affiliate marketing scheme was discovered by security researchers MalwareHunterTeam. For now, it’s only in development, but if the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.
Like most ransomware, Popcorn Time, encrypts the key files on the hard drive of infected users, and promises the decryption key only to those users who pay up (or infect others). But the code also indicates a second twist: the ransomware may delete the encryption key entirely if the wrong code is entered four times. The in-development software doesn’t actually contain the code to delete the files, but it contains references to where that code would be added.
Advice varies as to what users who are infected with ransomware should do. Most law enforcement organisations recommend against paying the ransoms, noting that it funds further criminal activities, and that there is no guarantee the files will be recovered anyway (some malware attempts to look like ransomware, but simply deletes the files outright).
Many security researchers recommend similarly, but some argue that it should not be on the individual victim to sacrifice their own files for the sake of fighting crime at large. Some ransomware has even been “cracked”, thanks to the coders making a variety of mistakes in how they encrypt the hard drive. Petya and Telecrypt are two types of malware that have been so defeated.