{
  "name": "NailaoLocker Ransomware's 'Cheese'",
  "slug": "nailaolocker-ransomwares-cheese",
  "description": "NailaoLocker, a new ransomware variant targeting Windows systems, uses AES-256-CBC encryption and uniquely incorporates SM2 cryptography with hard-coded keys. It employs DLL side-loading for execution and uses I/O Completion Ports for multi-threaded file processing. The ransomware includes both encryption and decryption modes, with a built-in SM2 key pair. However, testing revealed the embedded private key fails to decrypt files properly, suggesting it may be a trap or an incomplete build. NailaoLocker's use of Chinese SM2 standards for key protection marks a departure from typical ransomware practices. While the decryption logic functions correctly with valid key material, the variant's true intent remains unclear.",
  "published": "2025-07-21T08:27:39+00:00",
  "created_at": "2025-07-21T08:27:39+00:00",
  "modified_at": "2025-07-21T08:58:29+00:00",
  "created_at_opencti": "2025-07-21T08:27:39+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-21",
    "aes-256-cbc",
    "dll side-loading",
    "multi-threaded",
    "nailaolocker",
    "ransomware",
    "sm2 cryptography",
    "windows"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "60133376a7c8e051da787187761e596ce9b3d0cfcea21ed8f434992aa7cb8605"
      },
      {
        "id": "",
        "name": "46f3029fcc7e2a12253c0cc65e5c58b5f1296df1e364878b178027ab26562d68"
      },
      {
        "id": "",
        "name": "1248c4b352b9b1325ef97435bd38b2f02d21e2c6d494a2218ee363d9874b7607"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:571efdc94c0672f7",
        "name": "NailaoLocker",
        "slug": "nailaolocker"
      }
    ],
    "attack_patterns": [
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ]
  },
  "external_refs": [
    "https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese",
    "https://otx.alienvault.com/pulse/687e161b6ba1211b16b985c4"
  ]
}