NailaoLocker Ransomware

Ransomware attacks continue to be a growing cybersecurity threat, and one of the latest additions to this malicious landscape is NailaoLocker. This ransomware strain is written in C++ and primarily targets organizations in Europe, including healthcare institutions. It encrypts files, appending them with a “.locked” extension, and demands a ransom for decryption.

---

NailaoLocker Ransomware: Threat Summary

The following table provides a quick overview of NailaoLocker ransomware:

Attribute	Details
Threat Name	NailaoLocker
Threat Type	Ransomware, Crypto Virus, File Locker
Encrypted File Extension	.locked
Ransom Note File Name	No specific file name mentioned, but the note is displayed on the desktop
Associated Email	johncollinsy@proton.me
Detection Names	Combo Cleaner (Trojan.GenericKD.74047549), ALYac (Trojan.GenericKD.74047549), Arcabit (Trojan.Generic.D469E03D), GData (Trojan.GenericKD.74047549), VIPRE (Trojan.GenericKD.74047549)
Symptoms of Infection	Files are encrypted with a .locked extension, ransom note appears on desktop, users cannot access their files, demand for Bitcoin payment
Damage	All files are encrypted and inaccessible, additional malware (password-stealers, trojans) may be installed alongside
Distribution Methods	Exploiting vulnerabilities (e.g., CVE-2024-24919 in Check Point VPN), phishing emails, malicious attachments, torrent websites, fake updates, drive-by downloads
Danger Level	High – Encrypts files and demands a ransom, but lacks anti-debugging mechanisms

---

How NailaoLocker Ransomware Works

NailaoLocker ransomware follows a typical encryption-based attack model:

1. Infection and Initial Access
   • It infiltrates systems by exploiting a known vulnerability in the Check Point VPN app (potentially CVE-2024-24919).
   • It may also be distributed via phishing emails, drive-by downloads, or fake software updates.
   • The infection can be initiated using ShadowPad malware or PlugX Remote Access Trojan (RAT).
2. File Encryption Process
   • Once inside the system, it encrypts all user files (documents, images, videos, and archives) and appends the .locked extension.
   • Example: photo.jpg → photo.jpg.locked
3. Ransom Note and Demands
   • After encryption, the ransomware displays a ransom note demanding payment in Bitcoin.
   • The attackers claim that files will be deleted within a week if the victim does not comply.

---

NailaoLocker Ransom Note Text

The following is the full text of the ransom note displayed to infected users:

Your important files are encrypted. If you want to decrypt your files, please follow the instructions.

Do you need file decryption service (restore your files to their original state)? If not, your files will be automatically deleted after one week.

If you need to purchase unlocking service, please contact us and we will tell you the amount (pay with BTC).

After you complete the payment using BTC, we will deliver the unlocking program within 24 hours. Once the program is run on the locked computer, all files will be unlocked.

BTC purchase website: 
hxxps://www.coinbase.com 
hxxps://www.bitfinex.com 
hxxps://www.binance.com

Contact us on johncollinsy@proton.me

Notice: Do not delete or move locked files without unlocking them first.

Notice: The encryption algorithm uses symmetric encryption, and the password is a string of characters with the same length as the Bitcoin private key. If you can crack Bitcoin, then congratulations, you can decrypt it yourself. Otherwise, please contact us to purchase our decryption tool. Don't have illusions!!!

---

How to Remove NailaoLocker Ransomware (Step-by-Step Guide)

Although removing the ransomware will stop further encryption, it will not restore already encrypted files. The best course of action is not to pay the ransom and instead try data recovery using backups.

Step 1: Disconnect from the Internet

Unplug your Ethernet cable and disable Wi-Fi to prevent further communication with the attackers.

Step 2: Enter Safe Mode

1. Restart your computer.
2. Press F8 (or Shift + Restart) to access Advanced Startup Options.
3. Choose Safe Mode with Networking.

Step 3: Remove NailaoLocker Ransomware with SpyHunter

1. Download SpyHunter.
2. Install the software and run a full system scan.
3. SpyHunter will detect and remove the ransomware and any associated trojans.
4. Reboot your computer.

Step 4: Restore Your Files

• If you have a backup, restore files from an external drive or cloud storage.
• If no backup exists, try using data recovery tools like:
  • Recuva
  • EaseUS Data Recovery Wizard
  • ShadowExplorer (to check if Volume Shadow Copies exist)

---

How to Prevent Future Ransomware Infections

Taking the right preventive measures can reduce the risk of ransomware attacks significantly.

1. Update Software Regularly
   • Keep your OS, VPN, and security applications up to date.
   • Patch vulnerabilities such as CVE-2024-24919 to prevent exploitation.
2. Use Strong Security Software: Install a reliable anti-malware program like SpyHunter for real-time protection.
3. Enable Firewall and Network Security
   • Configure firewall settings to block unauthorized access.
   • Restrict Remote Desktop Protocol (RDP) access to prevent brute-force attacks.
4. Avoid Suspicious Emails and Links: Do not open unexpected email attachments or click on links from unknown sources.
5. Use Strong Passwords and MFA: Implement Multi-Factor Authentication (MFA) for an added security layer.
6. Backup Data Regularly
   • Store backups on external drives or cloud storage.
   • Maintain multiple copies in different locations.
7. Avoid Downloading Pirated Software: Do not use torrent sites or cracked software, as they often carry malware.

---

Conclusion

NailaoLocker ransomware is a dangerous file-encrypting malware that targets European organizations by exploiting vulnerabilities such as CVE-2024-24919 in the Check Point VPN app. While the ransomware lacks advanced security evasion techniques, it encrypts critical data and demands Bitcoin payments.

Instead of paying the ransom, users should focus on removing the infection using SpyHunter, restoring files from backups, and implementing preventive security measures to avoid future attacks.