Healthcare firms targeted by all-new ransomware strain

News
By
published

NailaoLocker attackers are most likely linked to China, experts believe

Ransomware
  • A new ransomware strain was seen targeting healthcare firms
  • NailaoLocker targets are mostly located in Europe
  • The encryptor was very basic, but still poses a threat

Healthcare organizations in Europe are being targeted by a never-before seen ransomware strain called NailaoLocker, experts have warned.

Cybersecurity researchers Orange Cyberdefense revealed the threat actors distributing NailaoLocker are most likely of Chinese origin. They are apparently abusing a high-severity vulnerability in Check Point Security Gateways to enumerate and extract password hashes for all local accounts.

The vulnerability is tracked as CVE-2024-24919, and was patched in May 2024.

Diversion

“Due to the fact all observed Check Point instances were still vulnerable at the time of their compromise, CVE-2024-24919 likely enabled the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account,” Orange said.

The attackers would abuse this vulnerability to side-load a vulnerable DLL file, and use it to deploy ShadowPad and PlugX malware. These, in turn, would drop NailaoLocker and encrypt files on the victim computers.

The locker itself is apparently very basic, almost amateurish. Orange says it doesn’t kill security processes or running services, has no anti-debugging or sandbox evasion techniques, and doesn’t scan network shares. "Written in C++, NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption," Orange said.

That has fueled speculation that encryption is not the end goal of these campaigns. Instead, they could either be a way to divert attention from the actual goal, which is to steal sensitive data from the targets, or a way to earn a little money on the side, while at the same time achieving the true goal of cyber-espionage. However, Orange also said the targets were mostly healthcare organizations which are not exactly the usual targets for cyber-espionage.

The researchers don’t know for sure, therefore they’re not attributing this attack to any particular threat actor, at least not yet.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
US coast guard boat

US Coast Guard paychecks delayed by cyberattack

A white padlock on a dark digital background.

A new and dangerous keylogger is on the loose - here's how to stay safe
Xbox Series X

Original Xbox designer says the idea the Series X is 'more powerful is not helpful today'
See more latest