⚠️ Overview

SNS Locker is a ransomware strain first documented in August 2016 by security researchers at BleepingComputer and Malwarebytes, categorized as a file-encrypting ransomware that targets Windows systems primarily in Spanish-speaking regions, with its operators remaining unidentified as of 2023.

🔧 Technical Capabilities

SNS Locker propagates through spam email campaigns containing JavaScript or VBScript attachments that, when executed, download the ransomware payload from a remote server, often using compromised websites as distribution points. Once running, it enumerates local drives and network shares, encrypts files with a combination of AES-256 (for file content) and RSA-2048 (for key encryption), appending the .sns extension to affected files. For persistence, it adds a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunSNS Locker pointing to the malicious executable, and it deletes Volume Shadow Copies using the command vssadmin.exe Delete Shadows /All /Quiet to prevent file recovery. Evasion techniques include checking for sandbox environments, disabling Windows Defender via PowerShell commands, and using Tor network for C2 communication to hide ransom payment sites and encryption key retrieval. The ransom note is displayed as a full-screen HTML window that changes the desktop wallpaper, demanding 0.5–1 Bitcoin (~$300–500 at the time) for decryption.

📜 History & Notable Incidents

First appearing in August 2016, SNS Locker primarily impacted individual users and small businesses in Spain, Mexico, and other Latin American countries, with campaigns peaking in late 2016 and early 2017. No high-profile corporate victims or law enforcement takedowns have been publicly recorded, though the malware’s code shares similarities with the earlier Locker ransomware family (MITRE ATT&CK reference T1486 for data encrypted for impact). The malware did not exploit any specific CVEs, relying instead on social engineering to deliver its payload via email attachments.

🔍 Detection Indicators

Behavioral indicators include the creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSNSLocker, the presence of a mutex named GlobalSNSLockerMutex, and deletion of shadow copies via vssadmin. Network indicators involve connections to Tor hidden services with onion addresses listed in ransom notes, and User-Agent strings typical of a Windows scripting host downloading encrypted payloads (e.g., Mozilla/5.0 for JavaScript-based droppers). No widely published static file hashes are available, but the ransomware binary often presents a file size of approximately 200–300 KB with compilation timestamps matching 2016.

☠️ Risk & Impact

Infection results in irreversible encryption of personal documents, photos, and database files, leading to permanent data loss if backups are unavailable, with financial losses from ransom payments typically in the hundreds of dollars per victim. The primary affected sectors are home users and small enterprises in Spanish-speaking countries, with no evidence of wide-scale data exfiltration or destruction beyond file encryption.

🛡️ Mitigation

Recommended defenses include maintaining offline backups, blocking Microsoft Office macros and JavaScript attachments in email gateways, deploying endpoint detection rules (e.g., Sigma rule for vssadmin shadow copy deletion), and applying behavior-based antivirus signatures that flag encryption routines (e.g., CrowdStrike Falcon or Malwarebytes Anti-Ransomware). Regular user awareness training against phishing emails remains the most effective prevention measure.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.