Ransomware Leaves Server Credentials in its Code

Share this…

While SNSLocker isn’t a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland façade hid quite a surprise. After looking closer at its code, we discovered that thisransomware contains the credentials for the access of its own server.

We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they aren’t investing that much on the operation when they left their credentials out in the open (the credentials have also been shared in social media by other security researchers). We have reported this finding to law enforcement agencies.

SNSLocker (detected as RANSOM_SNSLOCKER.A) has features that are used by most crypto-ransomware families such as the timer, the threat, the encryption capability, the payment link, and the ransom amount (in this case amounts to 300 USD).

Figure 1. SNSLocker lockscreen

SNSLocker is written in pure .Net Framework 2.0 with several popular libraries such as Newtonsoft.Json and MetroFramework UI. Its core also leverages on Microsoft .Net Crypto API to reduce time.

Figure 2. SNSLocker written in .Net Framework 2.0

As mentioned earlier, within the ransomware’s code are strings that provide the location of the malware’s server and the login credentials needed to access it. Leaving or forgetting the password there means that almost anyone can access the server. The data that was publicly accessible also included the decryption key.

Figure 3. Server credentials left in the code

Setting Up and Spreading SNSLocker
Based on our findings, the attacker applied for a free hosting provider and used it as its command and control (C&C) and payment server. This means that maintaining the account cost the author almost nothing. SNSLocker also uses a legitimate crypto-currency gateway to accept payments. This shows that the author didn’t bother spending time to customize this.

Finally, we also saw the reach of SNSLocker throughout the regions through its server. At the time of analysis, the victim distribution cuts across the globe, making it a possible global threat. It also showed that the United States has the most number of affected users.

Figure 4. SNSLocker infection distribution

SNSLocker shows how rampant ransomware is at the moment. Cybercriminals can get systems up and running and have global reach in no time at all. Regardless if cybercriminals make use of wide distribution platforms, ransomware-as-a-service (RaaS), or do small operations by themselves, ransomware is where the money is at.

Trend Micro Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware, such as SNSLocker.

The Trend Micro Crypto-Ransomware File Decryptor Tool, is a free tool that can decrypt certain variants of crypto-ransomware, including SNSLocker, without paying the ransom or the use of the decryption key.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.