A newly identified ransomware strain, NailaoLocker, has emerged as a significant threat to Windows systems, marking the first documented use of China’s SM2 cryptographic standard in ransomware operations. This development signifies a notable shift towards region-specific cryptographic implementations in cybercriminal activities.
Introduction to NailaoLocker
Discovered by FortiGuard Labs, NailaoLocker represents a sophisticated departure from conventional encryption malware. The name Nailao, derived from the Chinese word for cheese, may suggest the malware’s dual purpose: functioning as a potent cyber weapon or serving as a deceptive trap to mislead security researchers and victims.
Delivery Mechanism and Execution
NailaoLocker employs a multi-component delivery system comprising three orchestrated files:
1. Legitimate Executable (usysdiag.exe): Utilized for DLL side-loading.
2. Malicious Loader (sensapi.dll): Acts as the intermediary to load the payload.
3. Obfuscated Payload (usysdiag.exe.dat): Contains the core ransomware functionality.
This sophisticated deployment mechanism allows the ransomware to execute with minimal detection while immediately erasing forensic traces by deleting the loader component post-execution. Upon activation, NailaoLocker creates a mutex named lockv7 to prevent multiple instances and launches a console window that openly displays its encryption progress, indicating no intention to conceal its activities from infected users.
Unique Cryptographic Implementation
Fortinet analysts have identified several unique characteristics that distinguish NailaoLocker from traditional ransomware families:
– SM2 Cryptographic Standard: Unlike conventional ransomware that typically employs RSA for protecting file encryption keys, NailaoLocker pioneers the use of SM2 elliptic curve cryptography to secure its AES-256-CBC encryption keys. This marks the first documented instance of such an approach in the ransomware landscape.
– Hard-Coded SM2 Key Pairs: The malware incorporates hard-coded SM2 key pairs embedded in ASN.1 DER format alongside a built-in decryption function, an extremely rare combination that raises questions about its intended purpose.
Advanced Encryption Architecture
NailaoLocker’s technical sophistication extends to its execution architecture, which leverages Windows I/O Completion Ports (IOCP) to implement high-performance multi-threaded encryption operations. This design enables the ransomware to efficiently distribute file processing across multiple CPU cores, creating a minimum of eight worker threads regardless of system specifications to ensure optimal performance even on lower-end hardware configurations.
Encryption Process
During the encryption process, NailaoLocker generates unique cryptographic material for each target file using the Windows BCryptGenRandom() function to create 32-byte AES keys and 16-byte initialization vectors. The malware then uses its embedded SM2 public key to encrypt these symmetric encryption components, storing the variable-length encrypted keys in a structured footer that begins with the marker LV7. This footer contains the encrypted AES key size, the encrypted key itself, the encrypted IV size, and the encrypted IV, along with any overflow data resulting from the encryption padding process.
Potential Development Stage
Testing revealed that while the embedded SM2 private key appears non-functional in practice, the decryption logic operates correctly when supplied with valid AES material captured during encryption. This discovery, combined with the malware’s deliberate exclusion of critical system files and directories, suggests that NailaoLocker may represent an in-development strain or internal testing build rather than an active deployment ready for widespread distribution.
Implications and Recommendations
The emergence of NailaoLocker underscores the evolving landscape of ransomware threats, particularly the adoption of region-specific cryptographic standards like China’s SM2. This development poses new challenges for cybersecurity professionals, as traditional detection and mitigation strategies may be less effective against such sophisticated malware.
To mitigate the risk posed by NailaoLocker and similar threats, organizations are advised to:
– Implement Robust Security Measures: Ensure that all systems are updated with the latest security patches and that endpoint protection solutions are capable of detecting and responding to advanced threats.
– Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within the network infrastructure.
– Educate Employees: Provide ongoing cybersecurity training to employees to recognize phishing attempts and other common attack vectors used to deploy ransomware.
– Develop Incident Response Plans: Establish and regularly update incident response protocols to ensure a swift and coordinated response in the event of a ransomware attack.
By adopting a proactive and comprehensive approach to cybersecurity, organizations can enhance their resilience against emerging threats like NailaoLocker and safeguard their critical assets from potential compromise.
