Chinese SM2 Cryptographic Standard Exploited in Windows System Attacks by NailaoLocker Ransomware

A new ransomware variant dubbed NailaoLocker is making waves in cybersecurity circles for its sophisticated deployment of the Chinese SM2 cryptographic standard, a first among ransomware strains targeting Microsoft Windows systems.

Discovered by FortiGuard Labs, NailaoLocker raises the stakes in the global cyber threat landscape with its novel blend of high-performance multi-threaded file encryption and region-specific cryptographic innovation.

Unusual Architecture: Hard-Coded SM2 Key Pair and Decryption Feature

NailaoLocker arrives on victims’ systems using DLL side-loading, leveraging a legitimate system utility (usysdiag.exe), a malicious loader (sensapi.dll), and the obfuscated ransomware payload.

Execution begins when the loader decrypts and injects the ransomware into memory, erasing forensic traces by self-deleting after infection. NailaoLocker utilizes a mutex (“lockv7”) to ensure only a single instance runs at a time.

Upon startup, the ransomware reveals its extraordinary architecture. A hard-coded SM2 key pair, embedded within the payload in ASN.1 DER format is used throughout encryption and decryption routines.

Unlike typical ransomware that employs RSA or ECIES for protecting file keys, NailaoLocker uses SM2—China’s national public key algorithm, making it potentially more challenging for researchers unfamiliar with this standard to reverse engineer.

Notably, the same binary contains both encryption and decryption routines. The execution mode encryption or decryption is toggled via an internal switch, rather than a command-line option, which may signal a development build or a trap set for analysts.

Multi-Threaded AES Encryption and Advanced Key Management

NailaoLocker optimizes its attack using Windows I/O Completion Ports (IOCP), spawning at least eight worker threads to traverse directories and process files in parallel.

For every targeted file, a unique 256-bit AES key and a random IV are generated using BCryptGenRandom(). The file’s content is encrypted with AES-256-CBC, and the original file’s metadata is preserved.

Critically, instead of using RSA to wrap the AES key and IV, NailaoLocker encrypts these with SM2, storing the resultant cipher material in a custom footer appended to each file.

An “LV7” marker denotes the section that holds the SM2-encrypted AES key, IV, and auxiliary metadata, establishing a complex yet structured attack protocol.

However, FortiGuard Labs’ analysis found the embedded SM2 private key to be non-functional for real decryption, hinting that the sample may be meant for internal testing or as deceptive bait.

Implications and Protections

The adoption of SM2 in ransomware sets a concerning precedent by showcasing the weaponization of region-specific cryptographic standards. While not yet widely deployed, NailaoLocker’s technical sophistication signals greater diversity in attacker toolkits.

Fortinet protections have been updated, and organizations are urged to prioritize rigorous backups, endpoint protection, network segmentation, and regular patching to counteract evolving ransomware threats.

IOCs

NailaoLocker Ransomware (sha256)

1248c4b352b9b1325ef97435bd38b2f02d21e2c6d494a2218ee363d9874b7607
46f3029fcc7e2a12253c0cc65e5c58b5f1296df1e364878b178027ab26562d68
60133376a7c8e051da787187761e596ce9b3d0cfcea21ed8f434992aa7cb8605