Ethical Hacking News
New NailaoLocker Ransomware Campaign Targets EU Healthcare Organizations: A Shift in Tactics by Chinese State-Sponsored Actors Raises Concerns
RainbowLocker ransomware was identified by researchers at Orange Cyberdefense CERT as a previously undocumented strain deployed between June and October 2024.The malware exploits a vulnerability in Check Point Security Gateway to gain access to targeted networks.NailaoLocker is relatively unsophisticated, lacking features like anti-debugging and sandbox evasion mechanisms.The attack chain involves file encryption using AES-256-CTR scheme, followed by an HTML ransom note with decryption instructions.There was no direct code overlap between NailaoLocker and a ransomware tool sold by Kodex Softwares, suggesting unclear origins.The deployment of NailaoLocker has raised concerns about Chinese state-backed actors' evolving tactics in cyberoperations.Organizations must implement robust security measures, stay informed about emerging threats, and cooperate with authorities to mitigate the impact of ransomware attacks.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at Orange Cyberdefense CERT have identified a previously undocumented ransomware strain dubbed NailaoLocker. This malicious software was deployed in attacks targeting European healthcare organizations between June and October 2024, exploiting a vulnerability in Check Point Security Gateway to gain access to targeted networks.
According to Orange's researchers, the NailaoLocker ransomware is relatively unsophisticated compared to other prominent families in the space. This is attributed to its lack of features such as termination of security processes or running services, anti-debugging and sandbox evasion mechanisms, and network share scanning. The malware is written in C++ and utilizes DLL sideloading through a legitimate and signed executable (usysdiag.exe) to deploy itself on target systems.
The attack chain initiated by NailaoLocker involves the activation of the ransomware, which then begins encrypting files using an AES-256-CTR scheme. Upon completion, the malware drops an HTML ransom note with a very long filename that instructs victims to contact them at a disposable ProtonMail address for decryption instructions. Notably, this ransom note does not explicitly state that data was stolen, which is unusual for most modern ransomware operations.
Investigations by Orange have revealed some overlap between the content of the ransom note and a ransomware tool sold by a cybercrime group named Kodex Softwares (formerly Evil Extractor). However, there were no direct code overlaps, making the connection blurry. The researchers have proposed several hypotheses for the attacks, including false flag operations meant to distract, strategic data theft operations doubled with revenue generation, and more likely, a Chinese cyberespionage group "moonlighting" on the side to earn some money.
The recent deployment of NailaoLocker ransomware has raised concerns regarding the evolving tactics employed by Chinese state-backed actors in their cyberoperations. While North Korean actors are known to pursue multiple goals in parallel, including financial gains via ransomware attacks, Chinese state-backed actors have not followed this approach. The shift in tactics is concerning and warrants further attention from cybersecurity professionals and policymakers.
In light of these findings, it is essential for organizations and individuals alike to remain vigilant against such malicious activities. Implementing robust security measures, staying informed about emerging threats, and cooperating with relevant authorities are crucial steps in mitigating the impact of ransomware attacks like NailaoLocker.
Related Information:
https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs/
Published: Thu Feb 20 03:03:22 2025 by llama3.2 3B Q4_K_M
