Popcorn Time: A New Scheme in Ransomware

Posted by Mark Greisiger

A Q&A with Asaf Cidon of Barracuda

The recent reports about Popcorn Time—a ransomware attack that involves a Ponzi scheme encouraging targets to in turn spread the malware to contacts—show that criminals are becoming ever more creative in their approaches to cybersecurity exploits. I spoke with Asaf Cidon, VP of Content Security at Barracuda about Popcorn Time and what companies need to know about the current threats from hackers.

We’re seeing more sophisticated ransomware attacks combined with phishing and spearphishing…We’re also seeing attacks on social media and chats, so there’s a new wave of vectors to look out for.

Can you describe how the Popcorn Time attack works?
It’s basically a Ponzi scheme. The most common attack vector is email. Hackers will send an attachment that can take various forms—the most common is Office documents—and embedded inside it is malicious code. Once the user clicks the file, the macro triggers the malicious code and it goes out to a fixed IP address which sends it instructions to encrypt files on the hard drive. In this case, the attackers request a ransom to be paid in Bitcoin or the user can “pay” for their files to be decrypted by helping to infect other companies on the network.

Why is this worrying?
We see that ransomware attackers are trying to find new tricks. As with Wanna Cry, the ransomware lands on a certain account within an organization but the intent is for it to spread through the network. When you’re talking about small companies and organizations an attack on this scale can bring major heat and potentially put them out of business. These attacks are effective because people are more likely to open files from a familiar address—as opposed to someone advertising Viagra—and these hackers are very good at impersonating familiar people, particularly people of authority. If a general manager gets an email from a CEO they are more inclined to respond and respond quickly, and these hackers know that. We have no way to know how many people have in turn agreed to infect others, though I suspect more people paid the ransom.

What other trends are you seeing?
We’re seeing more sophisticated ransomware attacks combined with phishing and spearphishing—for example, there was a case when a mortgage company was infiltrated and the attackers sat on it for a while and waited until a deal was about to be executed. They then sent an email to the customer requesting a wire transfer to a bank. In general the ransomware itself is not that groundbreaking—it still relies on unpatched Windows versions, but there is much more inventiveness about how to use that foothold once they get it. We are looking at longer term situations where social engineering is netting attackers tens of thousands to millions of dollars. We’re also seeing attacks on social media and chats, so there’s a new wave of vectors to look out for.

What can companies be doing to avoid this situation?
Everybody needs to deploy ransomware protection, but even if you’re protected with software you have to guard against social engineering attacks. So that’s not just about getting the latest version of Windows and a security platform. We are launching our own product called Barracuda Sentinel to prevent spearphishing, which has a multipronged, comprehensive approach and offers tools to train employees. These threats aren’t going away and we need to stay on top of the ways attackers can get in and compromise our cybersecurity.

In summary… 
We want to thank Mr. Cidon for his expert insights into the Popcorn Time ransomware threat which underscores the malware’s ability to morph and reinvent itself to evade detection. He points out the potential severe impact to a small organization for which an encrypted network could be cripple operations. The key safeguards, although not perfect, are: patch your systems constantly; train your staff; and deploy newer security software solutions such as Barracuda Sentinel and App River.

See related interview(s) with other experts (Chris Novak, Verzion) in Junto on ransomware threats and trends.