NailaoLocker is a ransomware variant targeting Microsoft Windows that uses AES-256-CBC encryption combined with hard-coded SM2 cryptographic keys, including a rare built-in decryption function. Despite its embedded SM2 private key being non-functional in tests, the ransomware’s decryption logic works correctly with valid keys, suggesting it may be an internal test build. #NailaoLocker #SM2 #AES256CBC
Keypoints
- NailaoLocker ransomware targets Microsoft Windows and encrypts files using AES-256-CBC while uniquely protecting AES keys with SM2 elliptic curve cryptography.
- It employs DLL side-loading using a legitimate executable (usysdiag.exe) to load its malicious payload stealthily.
- The ransomware operates in two modes—encryption and decryption—controlled by a hard-coded value, but lacks command-line argument capability for mode switching.
- Multi-threaded execution leveraging Windows I/O Completion Ports maximizes encryption and decryption performance across CPU cores.
- NailaoLocker excludes critical system directories and file types during encryption to maintain system stability.
- The embedded SM2 private key included for decryption fails in practical testing, implying the ransomware might be a test build or incomplete variant.
- Fortinet provides comprehensive detection and protection against NailaoLocker using updated AV signatures and behavior-based security products.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – NailaoLocker uses DLL side-loading via the legitimate usysdiag.exe to load its malicious DLL (sensapi.dll). (‘DLL side-loading used to decrypt and load NailaoLocker’)
- [T1041] Exfiltration Over C2 Channel – Although not explicitly stated, the ransomware writes log files and drops ransom notes, indicating communication with victims. (‘creates a log file at %ProgramData%lock.log and drops ransom notes’)
- [T1490] Inhibit System Recovery – Encrypts user files and appends ransom notes after excluding system-critical paths, aiming to disrupt recovery options. (‘deliberately skipping specific system paths and file types to avoid destabilizing the infected host’)
- [T1027] Obfuscated Files or Information – The NailaoLocker payload (usysdiag.exe.dat) is obfuscated to avoid detection. (‘usysdiag.exe.dat – the obfuscated NailaoLocker payload’)
- [T1486] Data Encrypted for Impact – Encrypts files using AES-256-CBC and appends .locked extension to prevent access. (‘the ransomware appends the .locked extension and encrypts user files’)
Indicators of Compromise
- [File Names] Ransomware components – usysdiag.exe, sensapi.dll, usysdiag.exe.dat
- [File Hashes] NailaoLocker sample SHA256 – 1248c4b352b9b1325ef97435bd38b2f02d21e2c6d494a2218ee363d9874b760746f3029fcc7e2a12253c0cc65e5c58b5f1296df1e364878b178027ab26562d6860133
- [File Extensions] Encrypted files suffix – .locked
- [Mutex] Process synchronization – lockv7
- [Log Files] Operational log – %ProgramData%lock.log