Popcorn Time Ransomware – Remove It and Restore .filock Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Popcorn Time Ransomware – Remove It and Restore .filock Files

This article contains instructions on how to remove PopCorn Time ransomware and restore the .filock encrypted files.

Ransomware, offering free decryption key to victims if they infect two other people has been reported to have increased infection rate on unsuspecting victims. The virus demands 1 BTC from it’s victims and it has a screen pretending to be downloading and installing Windows updates, while in fact, the virus encrypts the files on the affected computers. Popcorn Time Ransomware is a virus that somehow has the name of a legitimate p2p program named Popcorn Time which aims to give users the ability to watch their favorite TV-shows for free with a click of a button and using torrent mechanisms. It has nothing to do with the ransomware Popcorn Time. In case you have become a victim of this virus, we strongly advise you to read the following article and hence learn how to remove this malware from your computer and try to restore your files without having to pay the ransom.

Image Source: Flickr

Threat Summary


Popcorn Time Ransomware

Short DescriptionVirus that has the same name as the legitimate program Popcorn Time. Encrypts files and ask a sum for decryption. Also offers to infect two other users to decrypt the files for free/
SymptomsThe user may witness ransom notes and “instructions” linking to an e-mail for contact. Changed file-extension has been used to .filock.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Popcorn Time Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss Popcorn Time Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Popcorn Time Infect

To cause a massive infection, PopCorn Time may take a different approach than the typical ransomware virus. The malware begins with infecting users via spam e-mails that may resemble legitimate e-mails from services like Amazon, PayPal, and others. These e-mails may have attachments on them along with a convincing body of the e-mail to open those attachments. As soon as the user opens such attachments, he becomes immediately infected by Popcorn Time ransomware, and the files are encrypted.

What is interesting in this particular case is that the ransom note of the virus aims to convince the victim to infect two other victims to get their computer decrypted for free:

This new method of infection is outsourcing the spread of the ransomware on a user level, which is free and may prove to be very widespread with time and taken by many other ransomware makers.

Popcorn Time – Post-Infection Activity

As soon as this virus infects your computer it may immediately drop it’s malicious modules on several folders of Windows, like:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Local%

In addition to this, the virus may also modify several registries for those malicious files to run at Windows startup. For this to happen the Run and RunOnce registry keys may be used. After the malicious files have ran, the Popcorn Time virus begins to exhibit a behavior; that resembles Windows Update screen:

During this screen, the Popcorn Time virus begins to encrypt videos, pictures, databases, virtual drives and documents as well as files associated with often used software. After encryption, the files’ code is replaced with symbols generated by an advanced encryption cipher which releases a decryption key. This key may either be stored in an encrypted format on the compromised computer or be sent via POST UDP or TCP traffic to the command and control (C2) servers, belonging to the cyber-criminals. The encrypted files by Popcorn Time ransomware have the .filock file extension added to them and in they may look like the following:

After the encryption the virus leaves it’s conventional ransom note which has instructions on how to pay the sum of 1.0 BitCoin and change to it from actual money.

However, this virus also makes you turn on your buddies, offering to infect others instead of paying the ransom yourself. This nasty type of technique may have just worked for the cyber-criminals behind Popcorn Time ransomware because more and more infections are reported by this virus since the begging of December.

Popcorn Time Ransomware – Conclusion, Removal and File Restoration Suggestions

To successfully get rid of Popcorn Time ransomware, users are advised to be extremely careful and use a professional malware removal software to successfully and fully remove the Popcorn Time ransomware from the infected computer. We have prepared instructions below to help users cope with this situation.

To decrypt your files, dummy computers or virtual drives may be used to cause an infection by this ransomware and get your files decrypted by fooling the cyber-criminals you have succeeded. However, if this does not work, then we suggest to attempt out the alternative file recovery methods we have provided in step “2. Restore files encrypted by Popcorn Time Ransomware” below. Bear in mind that they are not fully tested, so you should backup your encrypted files before giving them a try.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share