AiLock ransomware, first identified in March 2025, employs advanced encryption techniques including ChaCha20 and NTRUEncrypt to target files selectively based on size and uses a multi-threaded IOCP approach for encryption. The ransomware group actively updates its negotiation and data leak sites, signaling ongoing and future operations. #AiLock #NTRUEncrypt
Keypoints
- AiLock ransomware is written in C/C++ and appends the extension .AiLock to encrypted files while dropping a ransom note named Readme.txt in infected directories.
- It uses a dual-thread system—a Path Traversal Thread to identify files and an Encryption Thread to encrypt files using ChaCha20 and NTRUEncrypt algorithms.
- The encryption method varies by file size: full encryption for files under 100MB and partial encryption for files larger than 100MB.
- AiLock dynamically resolves APIs and verifies configuration data with SHA256 hashes to ensure correct decryption of its encryption keys.
- The ransomware can scan local and network drives, stops certain services and processes to maximize file encryption, and changes the desktop wallpaper and file icons to indicate infection.
- It uses IO Completion Ports (IOCP) for multithreaded encryption performance and creates a mutex named FAUST to prevent duplicate executions.
- The group operates negotiation sites and data leak sites that are frequently changed and expanded, indicating continuous attack activity.
MITRE Techniques
- [T1059.003] Windows Command Shell – The ransomware executes commands such as self-deletion command lines using cmd.exe (‘cmd.exe /C ping 127.0.0.1 & del [Malware Path]’).
- [T1134.001] Token Impersonation/Theft – Token impersonation or theft is implied for privilege escalation, although not explicitly described in the article.
- [T1480] Execution Guardrails – The ransomware uses CPU verification via IsProcessorFeaturePresent() to optimize encryption algorithms before executing.
- [T1027] Obfuscated Files or Information – Strings and APIs are obfuscated by repeating an 8-byte XOR key to evade detection (‘Strings used by ransomware…are obfuscated by an XOR operation’).
- [T1480.002] Mutual Exclusion – A mutex named FAUST is created to prevent multiple ransomware instances (‘Mutex Name: FAUST’).
- [T1082] System Information Discovery – System information such as CPU and number of processors is gathered using GetSystemInfo() and GetSystemTime() APIs.
- [T1083] File and Directory Discovery – The Path Traversal Thread lists files and directories recursively to identify encryption targets (‘List all files in the path…Scan for extensions, files, and directories excluded from encryption’).
- [T1135] Network Share Discovery – The ransomware uses WNet APIs to access network shares for encryption (‘…uses the APIs associated with WNet to resolve the paths to network resources’).
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends a custom file footer after encryption and renames files with .AiLock extension (‘…encrypts the file…rename the file’s extension to .AiLock’).
- [T1489] Service Stop – To maximize encryption effectiveness, specific services are stopped using ControlService() and processes terminated via TerminateProcess() API (‘stop the specified service…terminate a specific process’).
Indicators of Compromise
- [File Extension] Encrypted files have the extension .AiLock appended.
- [File Name] Ransom note named Readme.txt is dropped in encrypted directories.
- [Mutex Name] Mutex FAUST is used to prevent duplicate ransomware execution.
- [Registry Keys] Keys used to change file icon and wallpaper: HKCR/.AiLock/DefaultIcon and HKCU/Control Panel/Desktop/WallpaperStyle.
- [File Icon] tmp.ico dropped in %TEMP% used as the icon for encrypted files.