How to Remove Popcorn Time Virus

What is Popcorn Time Virus?

Popcorn Time virus is ransomware that encrypts files, and appends the “.kok” or “.filock” file extensions to the end of each files it encrypts.

REMOVE POPCORN TIME NOW!

 

Table of Contents

Overview

Names Distribution
Popcorn Time virus, Popcorn Time ransomware Email, Exploit Kits, Social Media

The Popcorn Time virus is ransomware that is predominantly distributed by malicious email messages that contain deceptive links or malicious attachments. The malicious email attachments are usually a.zip file or fake Microsoft Word document file. If files from the .zip file are manually extracted it will unpack another file such as a JavaScript file. When the JavaScript file is manually executed by the user it will cause the malware to spread across the machine and enter the encryption process.

Targeted File Extensions

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

This ransomware encrypts files that match certain file extensions with RSA-2048 and AES-128 ciphers. The encryption process will render the files inaccessible to the user. The encrypted files are appended the new file extension and file type, and the file name will become randomized or given a pattern such as [unique_id][identifier].kok or [unique_id][identifier].filock. A ransom note (or series of ransom notes) named restore_your_files.html (or other) will then be dumped in every folder the virus encrypted files in and on Windows desktop. In addition, Windows desktop will change to an image of the ransom note and an image file of the ransom note will also be left in every folder the virus encrypted files in.

Screenshot

popcorn time virus

Ransom Note Example

Warning Message!!
We are sorry to say that your computer and your files have been encrypted, but wait, don’t worry. There is a way that can restore your computer and all of your files. When countdown ends your files will be lost forever.
You must send at least [AMOUNT] Bitcoin to our wallet and your will get your files back.
Your personal unique ID: -
Send [AMOUNT] BTC to this address:
Warning Message!!
********************
We are sorry to say that your computer and your files have been encrypted,
but wait, don’t worry. There is a way that you can restore your computer and all of your files.
****************************************************************************************************
Your personal unique ID: -
You must send at least - Bitcoin to address - to get your files back
Warning! ! ! If you will not pay for the next 7 days, the decryption key will be deleted and your files will be lost forever.
****************************************************************************************************
Restoring your files - The fast and easy way
To get your files fast, please transfer - Bitcoin, to our wallet -. When we will get the money we will immediately give your your private decryption key. Payment should be confirmed in about 2 hours after payment made.
Restoring your files - The nasty way
Send the link - below to other people, if two or more people will install this files and pay, we will decrypt your files for free.
What we did?
We had encrypted all of your important images, document, videos and all other files on your computer. We used a very strong encryption algorithm that used by all governments all over the world. We store your personal decryption code to your files on our servers and we are the only ones that can decrypt your files. Please don’t try to be smart, anything other than payment will cause damage to your files and the files will be lost forever! ! ! If you will not pay for the next 7 days, the decryption key will be deleted and your files will be lost forever.
What we do that?
We are a group of computer science students from Syria, as you probably know Syria is having bad time for the last five years. Since 2011 we have more the half million people died and over 5 million refugees. Each member of our team has lost a dear from his family. I personally have lost both my parents and my little sister in 2015. The sad part is that the world remained silent and no one helping us so we decided to take an action.
How to buy Bitcoins?
If you aren’t familiar with Bitcoin and don’t know what is it. Please visit the official Bitcoin website (https://bitcoin.org/en/getting-started), follow the steps and you’ll get your Bitcoins. To understand more you can check also on the FAQ page (https://bitcoin.org/en/faq). Please check this website (https://coinatmradar.com) where you can find Bitcoin ATM all over the world.
List of encrypted files on your computer -

It is suggested to avoid paying ransomware authors to decrypt your files. Instead, third-party programs Shadow Explorer, PhotoRec, or Recuva can be used to potentially recover files encrypted by this virus. A user may also be able to retrieve encrypted files by performing a system restore to a date and time before the infection occurred.

Removal Software

Name Detection Download
Malwarebytes Anti-Malware Ransomware Download (Free) | Buy
HitmanPro by Surfright Ransomware Download (Free)

Decryption Software

Decryption Software

File Recovery Software

Name Description Download
Shadow Explorer Restores lost or damaged files from Shadow Copies Download (Free)
Photorec Recovers lost files Download (Free)
Recuva Recovers lost files Download (Free) | Buy

Troubleshoot

Alternative methods are suggested if there are issues removing Popcorn Time ransomware from an infected computer.

How to Restore your computer

If a restore point has previously been established on your machine you will be able to perform a system restore in order to restore your machine to a date and time before it was infected. You will lose files on your computer that were obtained prior to the restore point.

There are several options to restore your computer. Most computers have their own restore software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default restore program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

How to Recover your computer to factory settings

A system recovery (or reset) will recover your computer to factory settings. You will lose the current programs and files on your computer.

There are several options to recover your computer to factory settings. Most computers have their own recovery software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default recovery program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.