NailaoLocker Ransomware: Chinese SM2 Crypto and Built-in Decryptor Raise Questions

FortiGuard Labs uncovered a ransomware variant. Dubbed NailaoLocker, this malware isn’t just another file-encrypting threat. It brings along a decryption function, embedded cryptographic keys, and an unusual choice of algorithm that raises eyebrows and questions.

“Nailao,” which means “cheese” in Chinese, may be more than a naming quirk. This ransomware could represent a rare opportunity: a payload with embedded recoverability. Or it could be bait—a trap laid to mislead victims and security researchers,” the report wrote.

NailaoLocker is delivered through DLL side-loading, using three separate files:

• usysdiag.exe – a legitimate binary
• sensapi.dll – a malicious loader called NailaoLoader
• usysdiag.exe.dat – the actual ransomware payload

Once executed, the ransomware decrypts and loads its payload directly into memory. To avoid detection, it deletes sensapi.dll post-execution and uses a mutex lockv7 to prevent multiple instances from running simultaneously.

Unlike other ransomwares, NailaoLocker has both encryption and decryption capabilities built in. The mode is controlled via a hardcoded string comparison, not command-line arguments. This setup suggests internal or testing use.

In encryption mode, the ransomware:

• Enumerates logical drives
• Excludes core system directories and file types
• Uses AES-256-CBC with SM2-encrypted keys
• Drops ransom notes alongside encrypted files

Perhaps the most notable feature is the use of SM2, a Chinese elliptic curve cryptography standard, to encrypt the AES keys and IVs used during file encryption. This is a departure from the norm, where RSA typically dominates key protection routines.

“This appears to be the first documented case of SM2 being used to protect symmetric file encryption keys in ransomware,” the report states.

The malware even embeds its own SM2 public and private keys in ASN.1 DER format, though the private key doesn’t seem functional in decryption testing—leading analysts to believe this may be a prototype or decoy.

The malware employs Windows I/O Completion Ports (IOCP) for threading, spawning at least eight worker threads to parallelize encryption tasks efficiently. This ensures rapid encryption on both high- and low-core systems.

Encrypted files are appended with .locked and tagged as hidden. An LV7 footer stores metadata, including:

• AES key size
• SM2-encrypted AES key
• IV size and value
• Remaining encrypted data

These values are critical to decrypting the content, though without the correct AES key material, the built-in decryption won’t function.

Although NailaoLocker technically includes a decryption function, it’s non-functional out-of-the-box. The embedded private SM2 key fails to decrypt the AES key and IV due to what FortiGuard speculates may be an incomplete or deliberately broken key.

“Testing confirms that the decryption logic operates correctly when supplied with valid AES key material, indicating this may be an in-development strain or internal test build.”

The embedded decryption function and SM2 key pair make NailaoLocker a curious anomaly. While it could represent an early version of a more dangerous threat, it might also be misdirection, designed to confuse incident responders.

As FortiGuard concludes: “The use of the Chinese SM2 cryptographic standard… marks a notable divergence from conventional ransomware practices.”

Related Posts:

• Bitdefender released GandCrab Ransomware decryption tool
• Beware the Windows Search Scam: Clever Phishing Campaign Exploits User Trust
• Microsoft to Remove Built-in Maps App from Windows 11 in July 2025