By Kuan-Yen Liu and Yen-Ting Lee | July 18, 2025
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Most files on the compromised machines are encrypted
Severity Level: High
FortiGuard Labs recently ran across NailaoLocker, a ransomware variant targeting Microsoft Windows systems. Like many ransomware families, it uses AES-256-CBC to encrypt user files. What sets it apart is the presence of hard-coded SM2 cryptographic keys and a built-in decryption function—an uncommon combination that raises immediate questions about intent.
The name “Nailao,” which means “cheese” in Chinese, may be more than a naming quirk. This ransomware could represent a rare opportunity: a payload with embedded recoverability. Or it could be bait—a trap laid to mislead victims and security researchers. One victim’s solution may, in this case, be another’s cheese.
Figure 1: Hard-coded SM2 key pairs in ASN.1 DER format
In this blog, we examine NailaoLocker’s complete technical profile, including its execution flow, encryption and decryption routines, and use of SM2 cryptography. We assess whether this variant introduces a genuine threat or exposes an exploitable flaw.
