While SNSLocker isn’t a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland façade hid quite a surprise. After looking closer at its code, we discovered that this ransomware contains the credentials for the access of its own server.
We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they aren’t investing that much on the operation when they left their credentials out in the open (the credentials have also been shared in social media by other security researchers). We have reported this finding to law enforcement agencies.