Between June and October 2024, European healthcare entities were targeted by the NailaoLocker ransomware as part of The Green Nailao campaign. The attackers exploited a zero-day flaw, CVE-2024-24919, in Check Point VPN appliances to gain unauthorized access. The ransomware, which exhibited poor design and a lack of sophisticated features, encrypted files and appended a '.locked' extension, demanding a ransom paid in Bitcoin. No indication of data theft was mentioned in the ransom note. The threat actors, potentially linked to Chinese APTs, used ShadowPad and PlugX malware for lateral movement and persistence, with motives ranging from espionage to financial gain. The attack disrupted healthcare services and potentially risked patient data, although the full extent of the damage remains undisclosed.
TPRM report: https://scoringcyber.rankiteo.com/company/european-public-health-alliance
"id": "eur000022125",
"linkid": "european-public-health-alliance",
"type": "Ransomware",
"date": "2/2025",
"severity": "100",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Europe',
'type': 'Healthcare'}],
'attack_vector': 'Zero-day vulnerability exploitation in Check Point VPN '
'appliances',
'data_breach': {'data_encryption': "Files encrypted with '.locked' extension",
'data_exfiltration': 'No indication of data theft'},
'description': 'Between June and October 2024, European healthcare entities '
'were targeted by the NailaoLocker ransomware as part of The '
'Green Nailao campaign. The attackers exploited a zero-day '
'flaw, CVE-2024-24919, in Check Point VPN appliances to gain '
'unauthorized access. The ransomware, which exhibited poor '
'design and a lack of sophisticated features, encrypted files '
"and appended a '.locked' extension, demanding a ransom paid "
'in Bitcoin. No indication of data theft was mentioned in the '
'ransom note. The threat actors, potentially linked to Chinese '
'APTs, used ShadowPad and PlugX malware for lateral movement '
'and persistence, with motives ranging from espionage to '
'financial gain. The attack disrupted healthcare services and '
'potentially risked patient data, although the full extent of '
'the damage remains undisclosed.',
'impact': {'downtime': 'Disrupted healthcare services'},
'initial_access_broker': {'entry_point': 'Zero-day flaw, CVE-2024-24919, in '
'Check Point VPN appliances',
'high_value_targets': 'Healthcare entities'},
'motivation': ['Espionage', 'Financial gain'],
'post_incident_analysis': {'root_causes': 'Exploitation of zero-day flaw in '
'Check Point VPN appliances'},
'ransomware': {'data_encryption': "Files encrypted with '.locked' extension",
'data_exfiltration': 'No indication of data theft',
'ransom_demanded': 'Demanded ransom paid in Bitcoin',
'ransomware_strain': 'NailaoLocker'},
'threat_actor': ['Potentially linked to Chinese APTs'],
'title': 'The Green Nailao Campaign: NailaoLocker Ransomware Attack on '
'European Healthcare Entities',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2024-24919'}