While conventional ransomware typically uses RSA to protect file encryption keys, NailaoLocker pioneers the use of SM2 elliptic curve cryptography to secure its AES-256-CBC encryption keys, representing the first documented instance of this approach in the ransomware landscape. During the encryption process, NailaoLocker generates unique cryptographic material for each target file using the Windows BCryptGenRandom() function to create 32-byte AES keys and 16-byte initialization vectors. FortiGuard Labs has discovered a sophisticated new ransomware strain called NailaoLocker that represents a significant departure from conventional encryption malware. This design enables NailaoLocker to efficiently distribute file processing across multiple CPU cores, with the malware creating a minimum of eight worker threads regardless of system specifications to ensure optimal performance even on lower-end hardware configurations. The malware creates a mutex named “lockv7” to prevent multiple instances and launches a console window that openly displays its encryption progress, suggesting no intention to conceal its activities from infected users. This discovery, combined with the malware‘s deliberate exclusion of critical system files and directories, suggests NailaoLocker may represent an in-development strain or internal testing build rather than an active deployment ready for widespread distribution. This Windows-targeting threat introduces the first documented use of China’s SM2 cryptographic standard in ransomware operations, marking a notable shift toward region-specific cryptographic implementations in cybercriminal activities. The malware’s name, derived from the Chinese word for “cheese,” may hint at its true purpose as either a functional weapon or an elaborate trap designed to mislead security researchers and victims alike. The ransomware’s technical sophistication extends to its execution architecture, which leverages Windows I/O Completion Ports (IOCP) to implement high-performance multi-threaded encryption operations. Testing revealed that while the embedded SM2 private key appears non-functional in practice, the decryption logic operates correctly when supplied with valid AES material captured during encryption. This sophisticated deployment mechanism allows the ransomware to execute with minimal detection while immediately cleaning up forensic traces by deleting the loader component after successful execution. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Most notably, the malware incorporates hard-coded SM2 key pairs embedded in ASN.1 DER format alongside a built-in decryption function, an extremely rare combination that raises questions about its intended purpose. This footer contains the encrypted AES key size, the encrypted key itself, the encrypted IV size, and the encrypted IV, along with any overflow data that results from the encryption padding process.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Jul 2025 18:45:11 +0000