NailaoLocker Ransomware's 'Cheese'

July 21, 2025, 10:58 a.m.

Description

NailaoLocker, a new ransomware variant targeting Windows systems, uses AES-256-CBC encryption and uniquely incorporates SM2 cryptography with hard-coded keys. It employs DLL side-loading for execution and uses I/O Completion Ports for multi-threaded file processing. The ransomware includes both encryption and decryption modes, with a built-in SM2 key pair. However, testing revealed the embedded private key fails to decrypt files properly, suggesting it may be a trap or an incomplete build. NailaoLocker's use of Chinese SM2 standards for key protection marks a departure from typical ransomware practices. While the decryption logic functions correctly with valid key material, the variant's true intent remains unclear.

External References

https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese
https://otx.alienvault.com/pulse/687e161b6ba1211b16b985c4
Tags
ransomware
windows
dll side-loading
nailaolocker
2025-07-21
aes-256-cbc
sm2 cryptography
multi-threaded

Date

  • Created: July 21, 2025, 10:27 a.m.
  • Published: July 21, 2025, 10:27 a.m.
  • Modified: July 21, 2025, 10:58 a.m.

Indicators

  • 60133376a7c8e051da787187761e596ce9b3d0cfcea21ed8f434992aa7cb8605
  • 46f3029fcc7e2a12253c0cc65e5c58b5f1296df1e364878b178027ab26562d68
  • 1248c4b352b9b1325ef97435bd38b2f02d21e2c6d494a2218ee363d9874b7607
Download all indicators here!

Attack Patterns

  • NailaoLocker