Summary: A new ransomware variant called NailaoLocker has been identified targeting European healthcare organizations through a Check Point Security Gateway vulnerability. This malware, linked to Chinese cyber-espionage tactics, features a rudimentary design lacking many advanced evasion techniques. Despite its basic nature, the attack is indicative of a potential shift in strategy for state-sponsored actors who may be seeking additional revenue through ransomware schemes.
Affected: European healthcare organizations
Keypoints :
- NailaoLocker is a previously undocumented ransomware strain observed from June to October 2024.
- The attacks utilized CVE-2024-24919 to deploy PlugX and ShadowPad malware, associated with Chinese threat groups.
- The ransomware encrypts files using an AES-256-CTR scheme, appending the “.locked” extension and includes an unusually lengthy ransom note with contact details.
- Orange Cyberdefense CERT has noted potential overlaps between the ransom note and tools sold by the Kodex Softwares group, but lacks direct code connections.
- There are speculations that the operations could be false flags or attempts at combining espionage with revenue generation.