Skip to main content
Mallory
Back to malware
MalwareRansomwareExploits 1 CVE

NailaoLocker

NailaoLocker is a novel ransomware family observed in targeted intrusions. Reporting from Orange Cyberdefense and Fortinet links its deployment to campaigns that targeted European organizations, particularly in the healthcare sector, and in some cases followed exploitation of Check Point VPN/security gateway vulnerabilities, including CVE-2024-24919. Post-compromise activity associated with these intrusions included deployment of PlugX and ShadowPad before the ransomware was launched. SentinelOne also reported overlap between ShadowPad campaigns delivering NailaoLocker and broader China-nexus intrusion activity involving exploitation of Check Point gateway devices.

Technically, NailaoLocker is delivered via DLL side-loading using the legitimate signed binary usysdiag.exe to load a malicious sensapi.dll, which decrypts and executes the core payload. The ransomware performs multi-threaded file encryption using AES-256-CBC, appends the .locked extension to encrypted files, drops customized HTML ransom notes, excludes system-critical files and directories to preserve host stability, marks encrypted files as hidden, writes activity logs to ProgramData\lock.log, creates the mutex Global\lockv7 to prevent re-execution, and attempts to delete the loader DLL after infection to reduce artifacts. It also uses the Chinese SM2 elliptic curve standard to protect AES keys.

Analysis noted that NailaoLocker contains an embedded decryption routine, which is unusual for ransomware, but the routine was not operational in the analyzed sample with the hardcoded values present. Researchers assessed that the combination of Chinese malware loaders, ShadowPad/PlugX usage, and zero-day or n-day perimeter-device exploitation suggests possible links to Chinese state-sponsored actors or actors mimicking those tactics. The reporting further assessed that NailaoLocker may in some cases have been used not only for extortion but also to obscure espionage activity behind a ransomware incident.

High-confidence indicators and artifacts mentioned in the reporting include DLL side-loading via usysdiag.exe and sensapi.dll, the mutex Global\lockv7, the ProgramData\lock.log file, encrypted files with the .locked extension, and customized HTML ransom notes.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-24919Arbitrary File Read in Check Point Security GatewaysExploited in the wild

Two years ago, CISA tagged another vulnerability (CVE-2024-24919) in Check Point's Quantum Security Gateways as actively exploited by ransomware gangs, confirming an Orange Cyberdefense CERT report linking it to NailaoLocker ransomware attacks.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

The campaign, discovered by Orange Cyberdefense and later analyzed by Fortinet, typically began with the exploitation of CVE-2024-24919, a critical vulnerability in Check Point VPN appliances.

Stealth

3 techniques
T1070.004File DeletionEvidence1

Persistence and stealth are enhanced by mutex creation (Global\lockv7) to avoid re-execution, and the malware attempts to clean up after itself by deleting the loader DLL post-infection.

T1564.001Hidden Files and DirectoriesEvidence1

NaiLaoLocker logs activity to a file (lock.log) in the ProgramData directory and makes encrypted files hidden.

T1622Debugger EvasionEvidence1

Persistence and stealth are enhanced by mutex creation (Global\lockv7) to avoid re-execution

Discovery

1 technique
T1622Debugger EvasionEvidence1

Persistence and stealth are enhanced by mutex creation (Global\lockv7) to avoid re-execution

Impact

2 techniques
T1485Data DestructionEvidence1

Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted.

T1486Data Encrypted for ImpactEvidence2

NaiLaoLocker exhibits typical ransomware behavior, including multi-threaded file encryption using AES-256-CBC, appending a .locked extension to affected files, and dropping customized HTML ransom notes.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
bleeping computerNews
Jun 9, 2026
CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day

Ransomware linked to exploitation of Check Point Quantum Security Gateways vulnerability CVE-2024-24919.

Read more
splunk researchNews
Feb 25, 2026
Detection: Common Ransomware Extensions | Splunk Security Content

Ransomware family referenced as an associated analytic story for detection of common ransomware file extensions.

Read more
splunk researchNews
Feb 25, 2026
Detection: High Process Termination Frequency | Splunk Security Content

Ransomware family listed in connection with a detection for rapid process termination behavior indicative of ransomware execution.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Ransomware deployed in some cases following intrusions that deployed PlugX/ShadowPad.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.