Healthcare firms targeted by all-new ransomware strain
- A new ransomware strain was seen targeting healthcare firms
- NailaoLocker targets are mostly located in Europe
- The encryptor was very basic, but still poses a threat
Healthcare organizations in Europe are being targeted by a never-before seen ransomware strain called NailaoLocker, experts have warned.
Cybersecurity researchers Orange Cyberdefense revealed the threat actors distributing NailaoLocker are most likely of Chinese origin. They are apparently abusing a high-severity vulnerability in Check Point Security Gateways to enumerate and extract password hashes for all local accounts.
The vulnerability is tracked as CVE-2024-24919, and was patched in May 2024.
Diversion
“Due to the fact all observed Check Point instances were still vulnerable at the time of their compromise, CVE-2024-24919 likely enabled the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account,” Orange said.
The attackers would abuse this vulnerability to side-load a vulnerable DLL file, and use it to deploy ShadowPad and PlugX malware. These, in turn, would drop NailaoLocker and encrypt files on the victim computers.
The locker itself is apparently very basic, almost amateurish. Orange says it doesn’t kill security processes or running services, has no anti-debugging or sandbox evasion techniques, and doesn’t scan network shares. “Written in C++, NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption,” Orange said.
That has fueled speculation that encryption is not the end goal of these campaigns. Instead, they could either be a way to divert attention from the actual goal, which is to steal sensitive data from the targets, or a way to earn a little money on the side, while at the same time achieving the true goal of cyber-espionage. However, Orange also said the targets were mostly healthcare organizations which are not exactly the usual targets for cyber-espionage.
The researchers don’t know for sure, therefore they’re not attributing this attack to any particular threat actor, at least not yet.
Via BleepingComputer