FortiGuard Labs has found a complicated new ransomware pressure referred to as NailaoLocker that represents a major departure from standard encryption malware.
This Home windows-targeting risk introduces the primary documented use of China’s SM2 cryptographic normal in ransomware operations, marking a notable shift towards region-specific cryptographic implementations in cybercriminal actions.
The malware’s identify, derived from the Chinese language phrase for “cheese,” could trace at its true function as both a purposeful weapon or an elaborate lure designed to mislead safety researchers and victims alike.
NailaoLocker employs a multi-component supply system consisting of three fastidiously orchestrated recordsdata: a professional executable (usysdiag.exe) used for DLL side-loading, a malicious loader (sensapi.dll), and an obfuscated payload (usysdiag.exe.dat).
This subtle deployment mechanism permits the ransomware to execute with minimal detection whereas instantly cleansing up forensic traces by deleting the loader part after profitable execution.
The malware creates a mutex named “lockv7” to stop a number of cases and launches a console window that brazenly shows its encryption progress, suggesting no intention to hide its actions from contaminated customers.
Fortinet analysts recognized a number of distinctive traits that distinguish NailaoLocker from conventional ransomware households.
Most notably, the malware incorporates hard-coded SM2 key pairs embedded in ASN.1 DER format alongside a built-in decryption operate, an especially uncommon mixture that raises questions on its supposed function.
DLL side-loading used to decrypt and cargo NailaoLocker (Supply – Fortinet)
Whereas standard ransomware usually makes use of RSA to guard file encryption keys, NailaoLocker pioneers using SM2 elliptic curve cryptography to safe its AES-256-CBC encryption keys, representing the primary documented occasion of this strategy within the ransomware panorama.
Superior Encryption Structure and Multi-Threading Implementation
The ransomware’s technical sophistication extends to its execution structure, which leverages Home windows I/O Completion Ports (IOCP) to implement high-performance multi-threaded encryption operations.
This design allows NailaoLocker to effectively distribute file processing throughout a number of CPU cores, with the malware making a minimal of eight employee threads no matter system specs to make sure optimum efficiency even on lower-end {hardware} configurations.
Through the encryption course of, NailaoLocker generates distinctive cryptographic materials for every goal file utilizing the Home windows BCryptGenRandom() operate to create 32-byte AES keys and 16-byte initialization vectors.
The malware then makes use of its embedded SM2 public key to encrypt these symmetric encryption parts, storing the variable-length encrypted keys in a structured footer that begins with the marker “LV7.”
This footer comprises the encrypted AES key measurement, the encrypted key itself, the encrypted IV measurement, and the encrypted IV, together with any overflow knowledge that outcomes from the encryption padding course of.
Testing revealed that whereas the embedded SM2 personal key seems non-functional in apply, the decryption logic operates accurately when provided with legitimate AES materials captured throughout encryption.
This discovery, mixed with the malware‘s deliberate exclusion of vital system recordsdata and directories, suggests NailaoLocker could characterize an in-development pressure or inside testing construct quite than an lively deployment prepared for widespread distribution.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
