Ethical Hacking News
NailaoLocker Ransomware Campaign: A New Threat to EU Healthcare Organizations
A novel ransomware threat has been identified as targeting European healthcare-related entities since June 2024. The malicious campaign, dubbed as NailaoLocker, exploits a zero-day vulnerability in Check Point Security Gateways and leverages sophisticated evasion techniques.
The NailaoLocker ransomware has been targeting European healthcare-related entities since June 2024. The attackers exploited a zero-day vulnerability in Check Point Security Gateways to extract sensitive information and connect to VPN using legitimate accounts. The malicious actors used RDP for lateral movement, side-loaded malicious DLLs, and leveraged legitimate executables for persistence and privilege escalation. The malware uses an asymmetric encryption algorithm AES-256-CTR and appends the “.locked” extension to filenames of encrypted files. The campaign highlights the need for robust cybersecurity measures, particularly in healthcare organizations, due to its ability to exploit vulnerabilities in security gateways.
The cybersecurity landscape has recently been shaken by a novel ransomware threat, dubbed as NailaoLocker, which has been targeting European healthcare-related entities since June 2024. This malicious campaign, tracked as The Green Nailao campaign, has left many organizations in the continent reeling from the aftermath of this unprecedented attack.
According to Orange Cyberdefense CERT, the attackers exploited a zero-day vulnerability in Check Point Security Gateways with Remote Access VPN or Mobile Access features, identified as CVE-2024-24919. This critical exploit allowed threat actors to extract sensitive information on gateways, including password hashes for all local accounts, and connect to the VPN using legitimate accounts.
The malicious actors behind this campaign utilized RDP for lateral movement and side-loaded malicious DLLs to deploy ShadowPad and PlugX, leveraging legitimate executables for persistence and privilege escalation. ShadowPad is a modular backdoor that has been a hallmark of China-linked APT groups since at least 2015. The attackers employed a new variant of ShadowPad supporting sophisticated evasion and anti-debug features.
In addition to the initial exploit, the threat actors attempted data exfiltration by capturing the “ntds.dit” file. They also used WMI to deploy NailaoLocker via side-loading with a signed Chinese executable. Once side-loaded, NailaoLoader retrieves the calling module address with GetModuleHandleW API and performs checks for certain bytes values to ensure it is loaded by the right binary.
The execution flow of NailaoLocker and its variants has been extensively documented by Orange Cyberdefense CERT. The malware appends the “.locked” extension to filenames of encrypted files. It uses an asymmetric encryption algorithm AES-256-CTR. The malicious code creates a mutex “Global\lockv7”.
Despite being poorly designed, the NailaoLocker ransomware has already had significant repercussions for organizations in Europe. Notably, it does not scan network shares, cannot stop services or processes that could prevent the encryption of certain important files, and does not control if it is being debugged.
This campaign highlights the need for robust cybersecurity measures to be implemented by healthcare organizations worldwide. The attackers behind this threat have demonstrated their ability to exploit vulnerabilities in security gateways, highlighting the importance of timely patching and proper configuration of these systems.
In conclusion, the NailaoLocker ransomware campaign is a stark reminder of the ever-evolving nature of cybersecurity threats. As we continue to navigate this complex landscape, it is essential that organizations prioritize robust security measures to protect their sensitive data and prevent such attacks in the future.
Related Information:
https://securityaffairs.com/174440/malware/nailaolocker-ransomware-targets-eu-healthcare-related-entities.html
https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs/
https://nvd.nist.gov/vuln/detail/CVE-2024-24919
https://www.cvedetails.com/cve/CVE-2024-24919/
Published: Thu Feb 20 12:47:58 2025 by llama3.2 3B Q4_K_M
