loader image
Hacker at laptop with code and binary overlay, NailaoLocker ransomware uses China's SM2 crypto algorithm text displayed.
NailaoLocker Uses China’s SM2 Crypto in Rare Attack

A newly identified ransomware strain, NailaoLocker, is targeting Windows systems using China’s SM2 cryptographic standard in a rare deviation from typical ransomware encryption methods. FortiGuard Labs researchers say NailaoLocker uses China’s SM2 cryptography to encrypt AES-256-CBC keys, marking the first known case of this method in ransomware campaigns. The malware’s name, drawn from the Chinese word for “cheese,” may indicate either a decoy or a test version.

NailaoLocker uses a sophisticated three-part delivery system involving DLL side-loading to evade detection. The malware immediately deletes its loader after execution and displays a visible encryption console. NailaoLocker uses China’s SM2 cryptographic scheme alongside hard-coded key pairs in ASN.1 DER format, an unusual approach that includes a built-in decryption function. Analysts suggest the strain may be under development, citing the exclusion of critical system files and the presence of non-functional private key components.

Read the full report at

NailaoLocker Ransomware Attacking Windows Systems Using Chinese SM2 Cryptographic Standard

Write a Reply or Comment

Your email address will not be published. Required fields are marked *