Between June and October 2024, a new strain named NailaoLocker Ransomware was spotted targeting healthcare organizations across Europe. The ransomware exploits CVE-2024-24919, a vulnerability in Check Point Security Gateway, to gain access to the targeted networks. Once inside, the attackers deploy additional malware, such as ShadowPad and PlugX, which are linked to Chinese state-sponsored cyber-espionage groups. Orange Cyberdefense CERT has connected the attacks to Chinese cyber-espionage tactics, although there is insufficient evidence to definitively attribute them to specific threat groups.
NailaoLocker is considered a relatively basic ransomware variant when compared to more advanced strains.
It does not terminate security processes or running services, and it lacks sophisticated anti-debugging or sandbox evasion mechanisms. The ransomware also does not scan network shares for additional victims. Researchers at Orange have highlighted the malware’s simplicity, noting that it appears poorly designed and does not fully guarantee encryption, suggesting it may not be intended for widespread or highly targeted attacks.
The malware is delivered through a process involving DLL sideloading, using the legitimate executable “usysdiag.exe” and loading the payload from “usysdiag.exe.dat.” After verifying the environment, the ransomware is decrypted and loaded into memory, where it begins encrypting files using the AES-256-CTR algorithm. Encrypted files are given a “.locked” extension, and an HTML ransom note is dropped. The note features an unusually long filename, directing victims to contact the attackers through a disposable ProtonMail address, though it does not mention data theft, which is uncommon for modern ransomware.
Further investigation revealed some overlap between the ransom note’s content and tools sold by the Kodex Software cybercrime group. However, there were no direct code similarities, making any connection unclear. Researchers have proposed several possible motives for the attack, including a false flag operation, a combined strategy of espionage and revenue generation, or Chinese cyber-espionage groups using ransomware as a secondary money-making method. This shift in tactics, especially compared to North Korean actors who pursue both financial and espionage goals, raises concerns about the evolving nature of state-sponsored cyber operations.
