European healthcare organizations are facing a sophisticated cyber threat from a newly identified ransomware strain called NailaoLocker, deployed as part of a campaign tracked as Green Nailao by Orange Cyberdefense CERT.
The attacks, first detected between June and October 2024, exploit vulnerabilities in Check Point VPN appliances and leverage advanced backdoors like ShadowPad and PlugX to infiltrate networks.
The campaign combines cyberespionage tools with ransomware payloads.
While researchers at Orange Cyberdefense detected that this combination create a hybrid threat which threaten both data security and operational continuity in critical healthcare infrastructure.
Technical Mechanism and Attack Workflow
The Green Nailao campaign begins with attackers exploiting CVE-2024-24919, a critical vulnerability in Check Point Security Gateways enabling unauthorized access to VPN credentials.
Once inside, threat actors conduct lateral movement via RDP and deploy a three-stage execution chain involving legitimate binaries, malicious DLLs, and encrypted payloads.
A key component is the NailaoLoader, a DLL sideloaded via legitimate executables like usysdiag.exe (signed by Beijing Huorong Network Technology).
The loader decrypts the ransomware payload (usysdiag.exe.dat) using a custom algorithm:-
decrypted_byte = ((encrypted_byte + 0x4B) ^ 0x3F) - 0x4BThis routine, observed across multiple samples, removes the .dat file after decryption to hinder forensic analysis.
The decrypted NailaoLocker executable then creates a mutex (Globallockv7) to ensure singular execution and begins encrypting files using AES-256-CTR, appending the .locked extension.
.webp)
Unlike sophisticated ransomware strains, NailaoLocker exhibits operational shortcomings: it ignores network shares, fails to terminate processes locking files, and leaves diagnostic logs in %ALLUSERPROFILE%unlock_please_view_this_file_.
These logs inadvertently aid incident responders in identifying encryption failures.
The ransomware drops a ransom note directing victims to contact a ProtonMail address and demands payment in Bitcoin.
.webp)
Infrastructure analysis reveals spoofed TLS certificates mimicking Intel and Dell, with C2 servers hosted on VULTR. Notably, the campaign uses compromised IoT devices in Sweden and Proton VPN exit nodes for anonymization.
The Green Nailao campaign bears hallmarks of Chinese cyberespionage groups, particularly through its use of ShadowPad, a backdoor predominantly linked to China-nexus APTs.
Forensic overlaps with clusters like BRONZE UNIVERSITY and Cluster Alpha (noted by Sophos in 2023) further reinforce this attribution. However, the addition of ransomware introduces atypical objectives.
Analysts hypothesize the ransomware may serve dual purposes: masking data exfiltration or funding broader espionage activities. Notably, the attackers accessed Active Directory’s ntds.dit database, suggesting intent to harvest credentials for future operations.
This aligns with historical patterns of Chinese APTs targeting healthcare sectors for geopolitical intelligence.
Organizations are urged to patch Check Point appliances immediately and monitor for DLL sideloading patterns.
Orange Cyberdefense recommends implementing behavioral detection for AES-256-CTR encryption processes and blocking TLS certificates mismatching legitimate corporate issuers.
For healthcare entities, enforcing Zero Trust architectures and segmenting critical systems remain vital to mitigating cascading impacts.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here