NailaoLocker Ransomware: A New Cyber Threat Targeting European Healthcare

By /

Listen to this Post

A newly discovered ransomware variant, NailaoLocker, has been identified in cyberattacks targeting European healthcare institutions between June and October 2024. The attackers leveraged CVE-2024-24919, a vulnerability in Check Point Security Gateway, to infiltrate networks and deploy malware strains ShadowPad and PlugX, both associated with Chinese state-sponsored hacking groups.

Researchers from Orange Cyberdefense CERT suggest that the attacks align with Chinese cyber-espionage tactics, though they have not attributed them to a specific group. Notably, NailaoLocker exhibits a relatively unsophisticated design, suggesting it may serve an unconventional purpose—perhaps a blend of espionage and financial extortion.

the Attack

  • NailaoLocker ransomware was used in cyberattacks against European healthcare organizations.
  • Attackers exploited a known vulnerability (CVE-2024-24919) in Check Point Security Gateway to infiltrate networks.
  • The malware payload was delivered through DLL sideloading, utilizing a legitimate usysdiag.exe executable.
  • The ransomware encrypts files using AES-256-CTR encryption, appending the “.locked” extension.
  • It drops an unusually long HTML ransom note, instructing victims to contact the attackers via ProtonMail.
  • Unlike most ransomware attacks, there is no indication of data exfiltration, raising questions about its true intent.
  • Orange Cyberdefense suggests possible false flag tactics, espionage, or financial motivations behind the operation.
  • Comparisons are drawn to previous ransomware activity by Kodex Softwares (formerly Evil Extractor), but no direct code overlap was found.
  • The attack also highlights a shift in Chinese cyber tactics, with state-affiliated groups potentially engaging in financial ransomware schemes.

What Undercode Says:

A Shift in Chinese Cyber Operations?

Historically, Chinese state-sponsored hackers have prioritized espionage over financial gain. Their operations typically involve stealing sensitive intellectual property, state secrets, and corporate data rather than launching ransomware campaigns. However, the emergence of NailaoLocker suggests a possible shift in tactics. The attack mirrors North Korean cyber groups, which have long combined state-backed espionage with ransomware-based financial extortion.

The lack of data exfiltration in NailaoLocker attacks is unusual. Modern ransomware operations typically steal data before encrypting it, using the threat of exposure to pressure victims into paying ransom. This anomaly raises the possibility that the true goal was disruption or distraction rather than profit.

NailaoLocker: Amateur or Purposefully Simple?

Security researchers classify NailaoLocker as an unsophisticated ransomware strain due to its lack of anti-analysis features, inability to terminate security processes, and absence of network scanning. This could indicate amateur development—or, alternatively, that the ransomware was designed for a specific, low-profile purpose.

The DLL sideloading technique used for deployment is more common in espionage than in traditional ransomware operations. This aligns with past campaigns linked to Chinese Advanced Persistent Threats (APTs), particularly those using ShadowPad and PlugX, both of which have deep ties to Chinese cyber-espionage groups.

A Blurred Line Between Cybercrime and State-Sponsored Hacking

The connection between NailaoLocker and Kodex Softwares (formerly Evil Extractor) raises another critical question: Are cybercrime groups collaborating with state-sponsored actors? While there is no direct code overlap, similarities in the ransom note content suggest potential tool-sharing or inspiration from known cybercriminal groups.

If Chinese APTs are indeed adopting dual-purpose ransomware tactics, this could mark a dangerous evolution in state-sponsored cybercrime. Governments and organizations should prepare for attacks that combine nation-state espionage with financial extortion, making threat attribution and response more complex.

Why Target Healthcare?

Healthcare institutions are particularly vulnerable to ransomware attacks because they rely on real-time access to patient data. Even short-term disruption can have life-threatening consequences, making them highly susceptible to ransom demands. However, since NailaoLocker does not appear to steal data, the true intent of the attacks remains ambiguous.

Possible motivations include:

  1. Disruption – A strategic move to destabilize European healthcare systems.
  2. Espionage Disguise – Ransomware could serve as a cover for data theft occurring elsewhere in the system.
  3. Financial Gain – A shift in tactics where Chinese hackers supplement state operations with ransomware-driven profits.

Final Thoughts: A New Era of Cyber Threats?

The NailaoLocker campaign highlights an important trend in cyber warfare: the growing convergence of espionage, cybercrime, and financial extortion. If this represents a new model for Chinese APTs, organizations must rethink their defensive strategies—not just against traditional cyber-espionage but also against state-sponsored ransomware threats.

Governments, cybersecurity firms, and private organizations should monitor such developments closely. The line between cyber warfare and cybercrime is blurring, and the emergence of threats like NailaoLocker could signify a broader shift in the global cyber threat landscape.

References:

Reported By: https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs/
Extra Source Hub:
https://www.quora.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: