New ransomware distribution model: Infect two “friends”, unlock your files for free

In our previous blogs, we have looked at ways through which ransomware moves from being malware used by cyber criminals to extort money from victims to becoming a service that can be rented by anybody who wants to launch such attacks (read more here). This evolution allows ransomware service providers increase their revenues with least effort by leveraging a network of ransomware operators who launch their own attacks and share the benefits.

Nowadays, new ransomware tries to develop a new distribution model for maximization of profit: using the victim’s social connections to spread exponentially, in exchange for free data decryption. The idea is based on well-known retail promotional methodology: “bring two friends and get a discount” and works in a similar way.

How does it work?

In essence, this ransomware infection behaves exactly like any of the other ransomware families. It will get into the system via well-known vectors, such as email phishing, encrypt the files on the computer and then display a ransom note. Except, in this case, the ransom note contains a new option: the opportunity to decrypt the files for free, if you can infect two more users with the ransomware package, who in turn will pay ransom – or infect other two more users, etc.

Infecting others can be done by passing on a link to the ransomware install package, encoded with the victim’s identification parameter. When going for this option, the primary victim is encouraged to share the link on social media, email, etc. If one or more different users install the package and pay the ransom (or further add to the pool of victims using the “spreading” option), the victim receives a code that would unlock the files for free. Cyber criminals added extra precautions to make sure that this functionality is not abused: the encryption key will get deleted if the wrong code is entered four times. Case in which the files will be forever lost.

Why is it more profitable than common ransomware?

Average ransomware is mainly spread from victim to victim via phishing campaigns or malicious websites. These methods have certain costs, and therefore there is an average price per victim acquired which needs to be covered by the cyber criminals for distributing their software. Such campaigns have a medium to low rate of success, especially in environments that run email or web filtering technology.

The pyramidal scheme featured by this new type of ransomware implies getting a certain number of victims infected, and then motivating them to further distribute the malware. This approach results in a lower cost per acquired victim because, with a relatively small base of victims, their total number may grow exponentially. This distribution model is also much more efficient as victims would spread the malware to their contacts through social media or email, with a much better chance of getting through spam filters, etc.

Hence, with the pyramidal distribution scheme, the costs and efforts decrease as victims help distribution. Only primary victims incur costs, and the malware can spread virally through legitimate channels.

Pyramidal victim acquisition scheme for ransomware

In general, a pyramidal scheme promises to deliver services or benefits to users on enrolling others into the plan. It is unsustainable economically but does guarantee exponential growth of the business model. Since hackers do not promise to pay anything (just give files back for free), the downside of the pyramidal model is eliminated. The hackers benefit from the exponential growth of the pool of victims (potentially paying the ransom) while investing far less in distributing and spreading their ransomware.

Popcorn Time

Without any apparent connection to the Popcorn Time P2P application, it is a new, in-development type of ransomware discovered by the MalwareHunterTeam. It implements the pyramidal scheme distribution approach described in this article. It asks for one bitcoin in exchange for the decryption key, but also provides victims with a link that can be shared. If two or more victims pay the ransom, it promises to decrypt the files for free. Read more technical details here.

How we can help

TEMASOFT develops an advanced anti ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available. For more information, follow us on social media and subscribe to our newsletter.