SNSLocker Author Leaves C&C Server Credentials in Ransomware's Source Code

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Epic fails happen all the time, but in the world of infosec, there are very few that can top this one. As Trend Micro reported today, the author of the SNSLocker ransomware forgot the access credentials to his C&C (command and control) server in the ransomware's code.

The credentials provided Trend Micro researchers with full access to his master server, where they were able to recover the private encryption keys needed to unlock the files of all users infected with this ransomware variant.

While initially the mistake took researchers by surprise, in the end, they realized they were dealing with a less skilled malware coder, who didn't ever bother buying a VPS (Virtual Private Server), but kept his C&C server on a shared hosting provider, where it was susceptible to easy takedown requests.

SNSLocker appeared towards the end of May, and Trend Micro says it closely followed the pattern of all modern-day crypto-ransomware families.

There's the same dual AES-RSA encryption model, the classical lockscreen threat, the ransom note timer, and even the same ransom amount, SNSLocker requesting $300, which is about the average payment demand.

The ransomware is coded in the .NET Framework 2.0 framework and researchers say it managed to infect users all over the world, with a third of its victims in the US.

All clues point to a new ransomware actor that's just entering the market, and he may have just botched his entry.

Nice to here some good ransomware news for a change!!!!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top