A newly identified ransomware strain named NailaoLocker is specifically targeting healthcare organizations in Europe, according to cybersecurity researchers from Orange Cyberdefense. This strain appears to be linked to threat actors likely originating from China.
The attackers exploit a high-severity vulnerability in Check Point Security Gateways, tracked as CVE-2024-24919. This vulnerability, which was patched in May 2024, allows attackers to enumerate and extract password hashes for local accounts, facilitating unauthorized access.
Researchers noted that all observed instances of Check Point were still vulnerable at the time of compromise. This situation enabled the attackers to retrieve user credentials and connect to the VPN using legitimate accounts.
Once inside, the attackers deploy a vulnerable DLL file to introduce ShadowPad and PlugX malware, which subsequently drops NailaoLocker to encrypt files on victim computers. Despite its functionality, NailaoLocker is described as relatively basic and poorly designed, lacking advanced features such as anti-debugging or sandbox evasion techniques.
Speculation surrounds the true intentions of these attacks. Some experts believe the encryption may not be the primary goal. Instead, it could serve as a distraction while the attackers aim to steal sensitive data or generate revenue alongside their primary objective of cyber-espionage.
Healthcare organizations, typically not the usual targets for cyber-espionage, have come under scrutiny as the primary victims of this ransomware strain. As of now, researchers have not attributed these attacks to any specific threat actor.
For further details, visit the original article on TechRadar.