Health companies targeted by a new ransomware variant.

Recent reports have identified a new variant of ransomware, known as NailaoLocker, that is targeting healthcare organizations in Europe. Cybersecurity experts have noted that those distributing this ransomware likely have Chinese origins and are exploiting a high-severity vulnerability in Check Point Security Gateways to access and extract local account passwords.

The vulnerability in question, identified as CVE-2024-24919, was patched in May 2024. Despite the fix, all observed Check Point instances were still vulnerable at the time of compromise. This allowed attackers to retrieve user credentials and connect to the VPN using legitimate accounts.

Attackers exploit this vulnerability to upload a vulnerable DLL file that facilitates the deployment of malware such as ShadowPad and PlugX. These malwares, in turn, install NailaoLocker and encrypt files on the victims' devices.

NailaoLocker is characterized by its basic and almost amateur design. According to specialists, it does not terminate security processes or running services, lacks techniques to evade debuggers or testing environments, and does not scan network drives. "Written in C++, NailaoLocker is relatively rudimentary and shows poor design that apparently does not aim to ensure complete encryption," the researchers indicated.

This profile has raised speculation about the true objectives of these campaigns, suggesting that file encryption might not be the ultimate goal. It could be a method to distract from a more lucrative target, which would be the theft of sensitive data, or a way to generate additional income while conducting cyber espionage. However, analysts also highlighted that healthcare organizations are generally not the most common targets in this type of espionage.

So far, investigators have not been able to definitively link this attack to a specific actor, leaving its attribution uncertain.