A new ransomware called NailaoLocker has been found targeting European healthcare organizations between June and October 2024. Attackers exploited a vulnerability in Check Point Security Gateway (CVE-2024-24919) to infiltrate networks and deploy malware like ShadowPad and PlugX, often linked to Chinese state-sponsored hackers.
NailaoLocker is basic in design, lacks advanced evasion tactics, and uses AES-256-CTR encryption, appending .locked to files.
Delivered via DLL sideloading using usysdiag.exe.
Leaves a ransom note named: unlock_please_view_this_file_....html with contact via ProtonMail.
No evidence of data theft, which is rare for modern ransomware.
🕶️ Espionage or Ransom?
Orange Cyberdefense suspects the attack could be a cover for espionage or a side hustle by a Chinese cyber-espionage group. Similar tactics were recently seen with RA World ransomware targeting Asian firms.
NailaoLocker is basic in design, lacks advanced evasion tactics, and uses AES-256-CTR encryption, appending .locked to files.
Delivered via DLL sideloading using usysdiag.exe.
Leaves a ransom note named: unlock_please_view_this_file_....html with contact via ProtonMail.
No evidence of data theft, which is rare for modern ransomware.
🕶️ Espionage or Ransom?
Orange Cyberdefense suspects the attack could be a cover for espionage or a side hustle by a Chinese cyber-espionage group. Similar tactics were recently seen with RA World ransomware targeting Asian firms.
![[Image: MxgnhgZ.gif]](https://i.imgur.com/MxgnhgZ.gif)