NailaoLocker Ransomware: A Rising Threat to European Organizations

What Is NailaoLocker Ransomware?

NailaoLocker is a ransomware-type program written in C++, designed to encrypt victims' files and demand payment for their decryption. This threat has been observed targeting organizations in Europe, including those in the healthcare sector. While it has not been definitively linked to any known cybercriminal group, its tactics resemble those of notorious Chinese-affiliated actors.

Once NailaoLocker infiltrates a system, it encrypts files and appends a ".locked" extension to their names. For example, a file named "document.pdf" would appear as "document.pdf.locked" after encryption. Following this process, the ransomware generates a ransom note warning victims of the consequences of not paying the demanded sum.

What NailaoLocker Ransomware Demands

The ransom note informs victims that their files are encrypted and can only be recovered by paying a ransom in Bitcoin. While the exact amount is unspecified, the message warns that failure to comply within a week will result in the deletion of the affected files. The attackers claim that once payment is made, decryption will take place within 24 hours.

Victims are also advised against tampering with the encrypted files. Attempts to move, delete, or decrypt them using third-party applications may result in permanent data loss. However, despite these warnings, there is no guarantee that the attackers will provide decryption tools even if the ransom is paid.

Here's the ransom note in full:

[1.Your important files are encrypted. If you want to decrypt your files, please follow the instructions.]

[2.Do you need file decryption service (restore your files to their original state)? If not, your files will be automatically deleted after one week.]

[3.If you need to purchase unlocking service, please contact us and we will tell you the amount (pay with BTC)]

[4.After you complete the payment using BTC, we will deliver the unlocking program within 24 hours. Once the program is run on the locked computer, all files will be unlocked.]

[5.BTC purchase website:hxxps://www.coinbase.com, hxxps://www.bitfinex.com, hxxps://www.binance.com]

[Contact us on johncollinsy@proton.me]

[Notice:Do not delete or move locked files without unlocking them first.]

[Notice:The encryption algorithm uses symmetric encryption, and the password is a string of characters with the same length as the Bitcoin private key. If you can crack Bitcoin, then congratulations, you can decrypt it yourself. Otherwise, please contact us to purchase our decryption tool. Don't have illusions!!!]

A Ransomware Strain with Weak Execution

Unlike more advanced ransomware, NailaoLocker lacks anti-debugging features and does not disable critical system processes or services before encryption. This oversight means that if essential system files are encrypted, the operating system could become unusable. Additionally, while some ransomware strains engage in double extortion by stealing sensitive data, NailaoLocker's ransom note does not explicitly mention data exfiltration.

Given our extensive experience with ransomware infections, we can conclude that decryption without the attackers' cooperation is typically impossible. Even in cases where the ransom is paid, cybercriminals often fail to deliver the promised decryption key. Supporting this illicit activity by paying the ransom is strongly discouraged.

Preventing Further Damage from NailaoLocker

Removing NailaoLocker from an infected system could prevent additional file encryption, but it will not restore compromised data. The only effective way to recover encrypted files is through backups stored separately from the infected system. This highlights the importance of maintaining backups in multiple locations, such as unplugged external storage devices and remote servers.

The Similarities Between NailaoLocker and Other Ransomware

NailaoLocker follows the same pattern as other ransomware threats, such as Vgod, CipherLocker, FXLocker, SafePay, and DeathHunters. All these programs encrypt files and demand payment for their restoration. However, they differ in two key aspects: the cryptographic algorithms used (symmetric or asymmetric) and the ransom amount, which varies based on whether the target is an individual user or a large organization.

While NailaoLocker is relatively unsophisticated, it still poses a significant threat to businesses and institutions that lack robust cybersecurity measures. Ransomware groups often tailor their attacks to exploit specific vulnerabilities within their targets' networks.

How NailaoLocker Infiltrates Systems

In observed attacks on European organizations, NailaoLocker was deployed by exploiting a vulnerability in the Check Point VPN application, possibly the one identified as "CVE-2024-24919." The threat was introduced through the ShadowPad malware or the PlugX Remote Access Trojan (RAT). However, this ransomware could also spread via other common distribution methods.

Cybercriminals frequently rely on phishing and social engineering tactics to spread ransomware. Malicious software is often disguised as or bundled with seemingly harmless files. Once opened, these files initiate the malware's download and execution.

Common Ransomware Distribution Methods

Ransomware like NailaoLocker is commonly distributed through various means, including:

• Drive-by downloads from compromised or malicious websites
• Loader/backdoor-type threats
• Dubious download sources, such as third-party file-hosting platforms and Peer-to-Peer sharing networks
• Online scams designed to trick users into executing malicious files
• Malvertising campaigns that inject harmful ads into legitimate sites
• Spam emails and instant messages containing infected attachments or links
• Fake software updates and illegal activation tools ("cracks")
• Self-propagation via local networks and removable storage devices

These tactics allow ransomware to spread quickly and infect multiple systems within an organization, amplifying its impact.

Best Practices for Avoiding Ransomware Infections

To reduce the risk of ransomware infections, users and organizations should adopt the following security measures:

• Download software only from official and reputable websites
• Regularly update programs using legitimate update functions
• Be careful when opening emails from unknown senders, especially those containing attachments or links
• Employ strong network security measures, including firewalls and intrusion detection systems
• Maintain offline and cloud backups of critical data
• Educate employees to recognize phishing and other social engineering attacks

By implementing these practices, individuals and businesses could significantly reduce the likelihood of NailaoLocker's attack or encountering similar threats.

Bottom Line

NailaoLocker ransomware, though not the most sophisticated strain, poses a real risk to organizations, particularly in Europe. Its reliance on standard encryption tactics and ransom demands aligns it with other ransomware programs, yet its lack of advanced evasion techniques may limit its overall effectiveness.

As with all ransomware, prevention is the best defense. Users should stay vigilant, adopt best security practices, and ensure that critical data is backed up in secure locations. Since paying the ransom does not guarantee data recovery, avoiding infection in the first place is paramount.