NailaoLocker Ransomware Targets European Healthcare Sector, Linked to Chinese Intrusion Sets

An unidentified previously ransomware strain, NailaoLocker, has been observed targeting European organizations between June and October 2024, with a specific focus on healthcare entities. The campaign, analyzed by Orange Cyberdefense CERT, points to a connection to Chinese state-affiliated threat actors due to the deployment of ShadowPad and PlugX malware—tools commonly linked with Chinese cyber-espionage groups. While Orange Cyberdefense CERT assesses with "medium confidence" that the activity aligns with known Chinese intrusion tactics, no direct attribution has been made. While the threat actor presents a clear risk based on incidents investigated by Orange Cyberdefense CERT, the ransomware payload lacks key functionalities commonly found in more developed ransomware families, these definciencies include absence of capabilities to terminate security processes, scan network shares, or prevent debugging efforts.

The intrusion campaign leveraged CVE-2024-24919, a zero-day vulnerability in Check Point Security Gateways, as its initial access vector. This flaw, actively exploited since April 2024, allows attackers to retrieve password hashes and gain VPN access using legitimate credentials. Following initial compromise, threat actors conducted internal network reconnaissance to gain context and moved laterally using RDP. Key tools observed include “logger.exe,” a legitimate binary used to sideload a malicious DLL (“logexts.dll”), which facilitated the execution of additional payloads. Persistence was achieved through Windows registry modifications, service installations, or startup tasks. Malware such as PlugX and ShadowPad enabled remote access with command and control (C2). A notable finding from Orange Cyberdefense CERT states, "In fact, we observed in some cases more than two weeks between these first stages of compromise and post-exploitation activities," indicating a delayed ransomware deployment following initial network access.

As the threat actor neared the execution of their ransomware objective, ZIP archives were created to capture and store sensitive files. In one reported incident, the “ntds.dit” database file was exfiltrated. Orange Cyberdefense CERT noted gaps in visibility, stating that in "several cases, limited firewall log retention and/or missing traffic details—such as packet sizes, session information, or data exchange volumes—restricted" investigators' ability to fully analyze threat activity. The ransomware deployment process involved a script that distributed three files to each targeted system via Windows Management Instrumentation (WMI): “usysdiag.exe” (a signed legitimate executable), “sensapi.dll” (NailaoLoader), and “usysdiag.exe.dat” (the obfuscated NailaoLocker payload). There is potential overlap between this group and the Cluster Alpha (STAC1248) threat cluster reported in Sophos' 2023 Crimson Palace operation, given the link to the “usysdiag.exe” executable used in both campaigns. Once executed, NailaoLocker encrypted files using the AES-256-CTR encryption scheme and appended the ".locked" extension. Unlike more advanced ransomware families, NailaoLocker lacks data-wiping or anti-analysis mechanisms, reinforcing assessments that this campaign is still evolving.

Despite its limited development, the use of ShadowPad—previously linked to espionage campaigns—raises concerns about state-aligned actors incorporating ransomware into their operations. The targeting of healthcare organizations is particularly concerning due to the critical nature of this sector. Orange Cyberdefense CERT identified overlaps between this campaign and known Chinese intrusion techniques, though no conclusive attribution was made. The prolonged dwell time before ransomware execution also suggests a strategic approach rather than a typical rapid monetization tactic.