Analysis for NailaoLocker was first unveiled by researchers from the Orange Cyberdefense CERT and Trend Micro in mid-February 2025. In addition to a technical analysis of the NailaoLocker, it also included analyses of a remote access tool (RAT) called PlugX and a modular backdoor called ShadowPad. Both of these tools have a history of preceding intrusions from Chinese-based actors. Hence, the attribution to China. Between June and October 2024, Orange Cyberdefense research revealed a campaign, dubbed Green Nailao, targeting various sectors in several countries, with a primary focus on European healthcare organizations. The attacks ultimately ended in the execution of a novel ransomware called NailaoLocker, which their analysis revealed was hastily, or poorly, written.
This campaign exploited a critical 0-day vulnerability in Check Point Security gateways, which was patched in May 2024 (CVE-2024-24919). Therefore, those affected are those who didn't patch their gateways quickly enough. Once in networks, the threat actors performed reconnaissance, persistence via PlugX and ShadowPad, data exfiltration, and ultimately, the deployment of NailaoLocker via NailaoLoader. According to the analysis, NailaoLocker is written in C++ and utilizes AES-256-CTR to encrypt files, appending the file extension ".locked" to each encrypted file. In typical ransomware fashion, a ransom note is dropped asking victims to contact them through a ProtonMail email address. As such, we have no insight into any ransom amounts. Additionally, we don't have any concrete information on specific victims beyond the information provided in the research, which indicates victims from Europe, Asia, and South America across various industry sectors.
