SNSLocker (detected as RANSOM_SNSLOCKER.A) has features that are used by most crypto-ransomware families such as the timer, the threat, the encryption capability, the payment link, and the ransom amount (in this case amounts to 300 USD).
Figure 1. SNSLocker lockscreen
SNSLocker is written in pure .Net Framework 2.0 with several popular libraries such as Newtonsoft.Json and MetroFramework UI. Its core also leverages on Microsoft .Net Crypto API to reduce time.
Figure 2. SNSLocker written in .Net Framework 2.0
As mentioned earlier, within the ransomware’s code are strings that provide the location of the malware’s server and the login credentials needed to access it. Leaving or forgetting that the password is hardcoded in the malware means that almost anyone can access the server. The data that was publicly accessible also included the decryption key.
Figure 3. Server credentials left in the code
Setting Up and Spreading SNSLocker
Based on our findings, the attacker applied for a free hosting provider and used it as its command and control (C&C) and payment server. This means that maintaining the account cost the author almost nothing. SNSLocker also uses a legitimate crypto-currency gateway to accept payments. This shows that the author didn’t bother spending time to customize this.
Finally, we also saw the reach of SNSLocker throughout the regions through its server. At the time of analysis, the victim distribution cuts across the globe, making it a possible global threat. It also showed that the United States has the most number of affected users.
Figure 4. SNSLocker infection distribution
SNSLocker shows how rampant ransomware is at the moment. Cybercriminals can get systems up and running and have global reach in no time at all. Regardless if cybercriminals make use of wide distribution platforms, ransomware-as-a-service (RaaS), or do small operations by themselves, ransomware is where the money is at.
Trend Micro Solutions
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware, such as SNSLocker.
Users can likewise take advantage of ourfree tools such as the Trend Micro Lock Screen Ransomware Tool , which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool , which can decrypt certain variants of crypto-ransomware, including SNSLocker, without paying the ransom or the use of the decryption key.
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
3cbe96abba5269eb69093ebc07dd82e3091f0d3d – RANSOM_SNSLOCK.A
71caed58a603d1ab2a52d02e0822b1ab8f1a9095 – RANSOM_SNSLOCK.A