While SNSLocker isnât a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland faĂ§ade hid quite a surprise. After looking closer at its code, we discovered that thisransomware contains the credentials for the access of its own server.
We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they arenât investing that much on the operation when they left their credentials out in the open (the credentialsÂ have also been sharedÂ inÂ social media by other security researchers). We have reported this finding toÂ law enforcement agencies.
SNSLocker (detected as RANSOM_SNSLOCKER.A) has features that are used by most crypto-ransomware families such as the timer, the threat, the encryption capability, the payment link, and the ransom amount (in this case amounts to 300 USD).
Figure 1. SNSLocker lockscreen
SNSLocker is written in pure .Net Framework 2.0 with several popular libraries such as Newtonsoft.Json and MetroFramework UI. Its core also leverages on Microsoft .Net Crypto API to reduce time.
Figure 2. SNSLocker written in .Net Framework 2.0
As mentioned earlier, within the ransomwareâs code are strings that provide the location of the malwareâs server and the login credentials needed to access it. Leaving or forgetting the password thereÂ means that almost anyone can access the server. The data that was publicly accessible also included the decryption key.
Figure 3. Server credentials left in the code
Setting Up and Spreading SNSLocker
Based on our findings, the attacker applied for a free hosting provider and used it as its command and control (C&C) and payment server. This means that maintaining the account cost the author almost nothing. SNSLocker also uses a legitimate crypto-currency gateway to accept payments. This shows that the author didnât bother spending time to customize this.
Finally, we also saw the reach of SNSLocker throughout the regions through its server. At the time of analysis, the victim distribution cuts across the globe, making it a possible global threat. It also showed that the United States has the most number of affected users.
Figure 4. SNSLocker infection distribution
SNSLocker shows how rampant ransomware is at the moment. Cybercriminals can get systems up and running and have global reach in no time at all. Regardless if cybercriminals make use of wide distribution platforms, ransomware-as-a-service (RaaS), or do small operations by themselves, ransomware is where the money is at.
Trend Micro Solutions
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware, such as SNSLocker.
TheÂ Trend Micro Crypto-Ransomware File Decryptor Tool, is a free toolÂ that can decrypt certain variants of crypto-ransomware, including SNSLocker, without paying the ransom or the use of the decryption key.
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Microâ˘ Deep Discoveryâ˘ Email Inspector and InterScanâ˘ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Securityâ˘ stops ransomware from reaching enterprise serversâwhether physical, virtual or in the cloud.