Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Netflix Login Generator Distributes Ransomware

A newly observed piece of ransomware is being distributed via a Netflix login generator, Trend Micro security researchers warn.

A newly observed piece of ransomware is being distributed via a Netflix login generator, Trend Micro security researchers warn.

Netflix is certainly a high-profile target for cybercriminals, given its subscriber base of 93 million users in more than 190 countries, and stolen credentials can be abused in various ways. Attackers often attempt to monetize compromised accounts by selling them on the dark web or by exploiting server vulnerabilities, but also for the distribution of Trojans to steal users’ financial and personal information.

The newest manner in which miscreants are leveraging stolen Netflix credentials is ransomware distribution, and the attack method is pretty straightforward. Interested parties are lured with free Netflix accounts via a login generator that has been packed with malicious code.

Detected as RANSOM_ NETIX.A, the ransomware is targeting Windows 7 and Windows 10 computers and terminates itself if it runs on a different platform variant. The login generator is a tool typically used in software and account membership piracy, which can be usually found on websites for cracked applications, Trend Micro explains.

When the user executes the Netflix login generator, the executable drops another copy of itself (netprotocol.exe) and executes. The program’s main window provides users with a button to generate logins, which displays another prompt window when clicked on. This second window supposedly presents the user with the login information of a genuine Netflix account.

However, these are fake prompts and windows, and the ransomware uses them to distract the user while it has already started to encrypt files in the background. The malware, security researchers say, targets 39 file types that could be found under the C:Users directory.

The ransomware uses AES-256 encryption and appends the .se extension to the affected files. After completing the encryption process, the malware displays ransom notes to the victim, demanding $100 worth of Bitcoin (0.18 BTC) from its victims.

The malware was also observed connecting to its command and control (C&C) servers to send and receive information (customizing the ID number, for instance) and to download the ransom notes. One of these notes is set as the wallpaper of the infected machine.

“Malefactors are diversifying the personal accounts they target. Phished Netflix accounts, for instance, are an attractive commodity because one can be used simultaneously by different IP addresses. In turn, the victim doesn’t immediately notice the fraud—as long as it’s not topping the device limit. This highlights the significance for end users to keep their subscription accounts safe from crooks,” Trend Micro notes.

This incident brings to the spotlight not only the importance of keeping good account security, to ensure one’s credentials don’t end up being used by malicious actors, but also the risks involved in pirating content. It’s not only the ransom amount that users should take into consideration when thinking about ransomware, but also the fact that there is a possibility that they might never get their files back, even if they pay.

“Bad guys need only hack a modicum of weakness for which no patch is available—the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download or click ads promising the impossible. If the deal sounds too good to be true, it usually is,” Trend Micro concludes.

Related: Fake Netflix App Takes Control of Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.