A previously undocumented ransomware payload named NailaoLocker has been detected in assaults targeting European healthcare entities between June and October 2024.
The attackers employed CVE-2024-24919, a Check Point Security Gateway vulnerability, to obtain access to targeted networks and install the ShadowPad and PlugX malware families, which are closely associated with Chinese state-sponsored threat groups. Orange Cyberdefense CERT attributes the attacks to Chinese cyber-espionage tactics, while there is insufficient evidence to assign them to specific groups.
According to Orange experts, NailaoLocker is a rather rudimentary ransomware strain when compared to the most renowned families in the area. Orange classifies NailaoLocker as a simple ransomware because it does not terminate security processes or operating services, lacks anti-debugging and sandbox evasion methods, and does not search network shares.
The malware is installed on target systems using DLL sideloading (sensapi.dll), which involves a genuine and signed executable (usysdiag.exe). The malware loader (NailaoLoader) investigates the environment using memory address checks before decrypting and loading the main payload (usysdiag.exe.dat) into memory.
The NailaoLocker then activates and begins encrypting files with an AES-256-CTR scheme, appending the ".locked" extension to the encrypted files.
After the encryption is completed, the ransomware sends an HTML ransom note with the unusually long filename "unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please.html.”
Combining ransomware and espionage
After further investigation, Orange claims to have discovered some parallels between the ransom note's content and a ransomware tool sold by a cybercrime company known as Kodex Softwares (previously Evil Extractor). However, there were no obvious code overlaps, thus the relationship was fuzzy.
Orange has proposed numerous hypotheses for the assaults, including false flag operations designed to distract, deliberate data theft operations combined with income creation, and, most likely, a Chinese cyberespionage organisation "moonlighting" to generate some money.
Symantec only revealed last week that suspected Emperor Dragonfly (also known as Bronze Starlight) agents were using RA World ransomware to target Asian software companies and demanding a $2 million ransom.
The shift in strategy is concerning since Chinese state-backed players have not adopted the strategy of North Korean actors, who are known to pursue several objectives concurrently, including financial advantages through ransomware operations.