FOCUS MODE
EXTRACT IOC
0Trash

New NailaoLocker Ransomware Used Against EU Healthcare Orgs

iocOne
New NailaoLocker Ransomware Used Against EU Healthcare Orgs
A previously undocumented ransomware strain, NailaoLocker, has been targeting European healthcare organizations from June to October 2024, utilizing the CVE-2024–24919 vulnerability. This ransomware is associated with Chinese state-sponsored threat tactics but is considered relatively unsophisticated compared to other ransomware families. The attacks also reveal potential overlaps with espionage activities, highlighting a concerning shift in Chinese cyber actors’ strategies.
Affected: European healthcare organizations, network security, ransomware operations

Keypoints :

  • New ransomware named NailaoLocker has been discovered.
  • Attacks targeted European healthcare organizations between June and October 2024.
  • Exploited CVE-2024–24919, a vulnerability in the Check Point Security Gateway.
  • Associated with Chinese state-sponsored cyber-espionage tactics.
  • NailaoLocker doesn’t use sophisticated techniques like terminating security processes or anti-debugging.
  • Deployed via DLL sideloading using the legitimate executable usysdiag.exe.
  • Encrypts files with AES-256-CTR and appends the extension “.locked”.
  • Drops an unusually lengthy ransom note with instructions to contact a ProtonMail address.
  • No indication of data theft, which is uncommon in modern ransomware.
  • Possible overlap with cybercrime activity from a group named Kodex Softwares.

MITRE Techniques :

  • T1041 – Exfiltration Over Command and Control Channel: The ransom note and communication method via ProtonMail.
  • T1071.001 – Application Layer Protocol: Use of HTTP for ransom note delivery.
  • T1059.003 – Command-Line Interface: Execution of commands through usysdiag.exe to load the ransomware.
  • T1203 – Exploitation for Client Execution: Exploiting CVE-2024–24919 to gain access.
  • T1085 – Rundll32: DLL sideloading via the legitimate sensapi.dll for executing the payload.

Indicator of Compromise :

  • [Email Address] johncollinsy@proton[.]me
  • [File Name] unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please.html
  • [Executable File] usysdiag.exe
  • [DLL File] sensapi.dll
  • [Payload File] usysdiag.exe.dat

Full Story: https://medium.com/@MrAmazin/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs-21bf2051a76c?source=rss——cybersecurity-5

Tags: HEALTHCARE, TOOL, EXFILTRATION, FINANCIAL, EMAIL, PAYLOAD, VULNERABILITY, CVE