NailaoLocker is a newly identified ransomware variant targeting Windows operating systems. It employs AES-256-CBC symmetric encryption to encrypt victim files, a standard and strong encryption algorithm widely used in ransomware. Uniquely, NailaoLocker incorporates SM2 cryptography, a Chinese national cryptographic standard based on elliptic curve cryptography, to protect its encryption keys. This use of SM2 with hard-coded keys is atypical compared to most ransomware families that rely solely on asymmetric RSA or ECC keys generated per victim. NailaoLocker uses DLL side-loading as its execution technique, a method where a malicious DLL is loaded by a legitimate application to evade detection. It also leverages I/O Completion Ports for multi-threaded file processing, enhancing encryption speed and efficiency across multiple CPU cores. The ransomware contains both encryption and decryption functionalities and includes a built-in SM2 key pair. However, testing indicates the embedded private key fails to decrypt files correctly, suggesting the ransomware may be incomplete, experimental, or a trap to mislead researchers. The decryption logic itself is functional when provided with valid key material, but the hard-coded private key is ineffective. NailaoLocker’s use of Chinese SM2 cryptography marks a departure from typical ransomware cryptographic practices and may indicate origin or targeting preferences. The ransomware also employs several known techniques mapped to MITRE ATT&CK tactics, including user execution (T1204.002), process injection (T1055), file deletion (T1112), file and directory discovery (T1083), boot or logon autostart execution (T1547.001), obfuscated files or information (T1027), data encrypted for impact (T1486), indicator removal on host (T1070.004), and DLL side-loading (T1574.002). There are no known exploits in the wild yet, and no CVE identifier has been assigned. The overall severity is assessed as medium due to the current lack of widespread exploitation and incomplete decryption capability.

For European organizations, NailaoLocker poses a moderate threat primarily to Windows-based environments. The ransomware’s multi-threaded encryption capability could lead to rapid file encryption, causing significant operational disruption. The use of DLL side-loading complicates detection and mitigation, increasing the risk of successful infection. The unique use of SM2 cryptography may hinder traditional forensic and decryption efforts, especially if organizations lack expertise or tools supporting this cryptographic standard. Although the embedded private key is ineffective, if threat actors deploy a fully functional variant with valid keys, data recovery without paying ransom could be impossible. This could result in data loss, business interruption, reputational damage, and financial costs related to ransom payments or recovery efforts. The ransomware’s techniques for persistence and indicator removal increase the difficulty of incident response. However, the absence of known active exploitation campaigns and incomplete decryption functionality currently limit the immediate impact. European organizations with critical infrastructure, healthcare, finance, and manufacturing sectors could be particularly concerned due to their reliance on Windows systems and the potential for operational disruption.

1. Implement strict application whitelisting and monitor for DLL side-loading behaviors, especially in critical Windows applications. 2. Employ endpoint detection and response (EDR) solutions capable of detecting multi-threaded suspicious file operations and process injection techniques. 3. Regularly back up critical data with offline or immutable backups to ensure recovery without ransom payment. 4. Monitor for unusual use of cryptographic libraries or calls consistent with SM2 or AES-256-CBC encryption. 5. Harden user privileges to prevent unauthorized execution of binaries and DLLs, and enforce least privilege principles. 6. Conduct user awareness training focused on phishing and social engineering, as user execution is a likely infection vector. 7. Maintain up-to-date threat intelligence feeds and integrate indicators of compromise (hashes provided) into security monitoring tools. 8. Employ network segmentation to limit lateral movement and isolate infected systems quickly. 9. Monitor for persistence mechanisms such as autostart registry keys and suspicious DLL loads. 10. Collaborate with cybersecurity information sharing organizations to stay informed about developments related to NailaoLocker and similar threats.