FlagThis

A new ransomware strain called NailaoLocker has been identified targeting European healthcare organizations between June and October 2024. The ransomware is delivered through ShadowPad and PlugX backdoors, after attackers exploit vulnerabilities in VPNs to gain access to targeted networks. These backdoors have been linked to Chinese state-sponsored threat groups, raising concerns about the origin and sophistication of the attacks.

Orange Cyberdefense CERT investigated incidents and observed the threat actor leveraging both ShadowPad and PlugX. The campaign, tracked as Green Nailao, impacted several European organizations, including those in the healthcare sector. While Orange Cyberdefense doesn't attribute this campaign to a known threat group, they assess with medium confidence that the threat actors align with typical Chinese intrusion sets, noting somewhat similar TTPs and payloads publicly mentioned by other DFIR teams.

ImgSrc: mnwa9ap4czgf-u1

References :

• CyberInsider: NailaoLocker Ransomware Uses VPN Flaw to Attack Healthcare Orgs
• DataBreaches.Net: Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
• securityaffairs.com: NailaoLocker ransomware targets EU healthcare-related entities
• www.bleepingcomputer.com: A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024.
• cyberinsider.com: NailaoLocker Ransomware Uses VPN Flaw to Attack Healthcare Orgs
• The Hacker News: China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
• Virus Bulletin: Meet NailaoLocker, a ransomware distributed in Europe by ShadowPad & PlugX backdoors
• Check Point Blog: Patch Now: Check Point Research Explains Shadow Pad, NailaoLocker, and its Protection
• Talkback Resources: European healthcare organizations targeted by Green Nailao campaign using PlugX, ShadowPad, and NailaoLocker ransomware, exploiting Check Point security flaw for initial access and employing various tactics for malware deployment and data exfiltration, attributed to Chinese-aligned threat actor for potential financial gain.
• blog.checkpoint.com: Check Point Research Explains Shadow Pad, NailaoLocker, and its Protection A newly identified threat activity cluster leveraged the already-patched Check Point vulnerability CVE-2024-24919 (fixed in May 2024) to deploy ShadowPad. Reports indicate that, in a small number of cases, this initial infection also resulted in the deployment of NailaoLocker ransomware.
• Talkback Resources: Orange Cyberdefense CERT investigated the Green Nailao threat cluster targeting European healthcare organizations using DLL search-order hijacking to deploy ShadowPad and PlugX implants, with observed ransomware deployment and initial access gained through CVE-2024-24919 exploitation on Check Point Security Gateways, indicating potential Chinese intrusion set involvement.
• industrialcyber.co: Green Nailao cyber threat targets European healthcare with advanced tactics, undocumented ransomware
• Industrial Cyber: Industrial Cyber report on Green Nailao cyber threat
• Talkback Resources: Orange Cyberdefense CERT investigated the Green Nailao threat cluster targeting European healthcare organizations using DLL search-order hijacking to deploy ShadowPad and PlugX implants, with observed ransomware deployment and initial access gained through CVE-2024-24919 exploitation on Check Point Security Gateways, indicating potential Chinese intrusion set involvement.

Classification:

• HashTags: #Ransomware #Healthcare #NailaoLocker
• Company: European Healthcare
• Target: European healthcare organizations
• Attacker: NailaoLocker
• Product: Ransomware
• Feature: VPN Flaw
• Malware: NailaoLocker
• Type: Ransomware
• Severity: Major