Detailed Analysis of AiLock Ransomware

Malware Analysis
1

Author: S2W TALON (Huiseong Yang)

First Published : July 07, 2025
Photo by BoliviaInteligente on Unsplash.
This image has been cropped/edited for use in this blog.

Executive Summary

  • (Introduction) The AiLock ransomware group was first discovered in March 2025, and like other RaaS groups, it negotiates with victim organizations through a negotiation site and threatens to release stolen data through a leak site
  • (Malware) AiLock ransomware is written in C/C++ language, and appends the extension(.AiLock) to the encrypted files and drops a ransom note called Readme.txt in the directory path of the encrypted files.
  • (Malware) When encrypting files, it uses IOCP (I/O Completion Port) and creates two threads (Path Traversal Thread, Encryption Thread) to identify files to be encrypted and perform encryption.
    - Path Traversal Thread: A thread that identifies files to be encrypted and passes the structure of the files to be encrypted to the Encryption Thread through a list of files, directories, and extensions to be excluded from encryption.
    - Encryption Thread: A thread that performs file encryption according to the EncryptionState that exists in the received structure, performs file reading and writing functions, and inserts a file footer and changes the extension at the end of the encrypted file.
  • (Malware) The encryption algorithm used by the ransomware is ChaCha20 + NTRUEncrypt, and the file encryption method is applied differently depending on the size of the file.
    - File Size < 0x6400000(100MB): Encrypt the entire file
    - 0x6400000 ≤ File Size < 0x40000000(1GB): Partial encryption
    - 0x40000000 ≤ File Size: Partial encryption
  • (Conclusion) Given that the negotiation and file sharing sites are constantly changing and new, previously undiscovered leak sites have been discovered, it is likely that the AiLock ransomware group will continue to operate in the future, requiring the application of detection rules and ongoing monitoring.

Introduction

AiLock was first discovered in March 2025 when Zscaler, an international security firm, published the group’s ransom note, which was confirmed to be a negotiation site. At the time of discovery, the group’s ransomware samples and leak sites were not publicly available, but the S2W Threat Intelligence Center obtained samples of the group’s ransomware and confirmed that, like other ransomware-as-a-service (RaaS) groups, it operates a Data Leak Site (DLS).

Figure 1. AiLock DLS

As of July 4, 2025, five victims have been identified, but the group is expected to continue uploading victims to the DLS. This report provides a detailed analysis of the AiLock ransomware operated by this group.

Detailed Analysis

AiLock ransomware is written in C/C++ and appends the extension(.AiLock) to the encrypted files and drops a ransom note called Readme.txt in the path of the encrypted directory. The encryption uses ChaCha20 to encrypt the files, and the metadata, including the key value used for encryption, uses the NTRUEncrypt algorithm. The detailed analysis is as follows

Parameter

There are command-line options for executing the ransomware, and they are designed to require one of the -full or -path parameters to trigger the malicious behavior of the ransomware.

Table 1. AiLock’s Paramete

Obfuscated String

Strings used by ransomware (e.g., command lines, debugging statements, APIs) are obfuscated by an XOR operation, and the string is used by performing an XOR operation with a random XOR key value. The XOR key used is 8 bytes repeatedly.

API Resolving

All APIs used by the AiLock ransomware are called dynamically via LoadLibrary() and GetProcAddress(), getting the address of each function as a global variable.

Verification

After identifying the CPU in the system via the IsProcessorFeaturePresent() API, it uses the CPU-optimized ChaCha20 algorithm and decrypts the Config encrypted in the .data area using the ChaCha20 algorithm with a hardcoded key and nonce value. When decrypted, the first byte is compared to see if the value DE AD BA BE exists or if the 12th byte is BA BE DE AD, and the value identifies the first part of the Config data.

● Config Marker: DE AD BA BE / BA BE DE AD

The decrypted Config value contains the public key of the NTRUEncrypt algorithm, which encrypts the metadata of the encrypted file and the ransom note. At the end of the decrypted Config value is a SHA256 hash of the Config value, which is compared to a SHA256 hashed value of size 0x1414 of the Config value to verify that the Config value to be used for encryption was decrypted correctly.

Get System Information

Get the time of the system using the GetSystemTime() and SystemTimeToFileTime() APIs, and identify the number of processors on the affected system using GetSystemInfo(). Determine the number of threads to use on the I/O Completion Port (IOCP) equal to the number of processors * 2. IOCPs are used during file encryption to pass file data and perform encryption, utilizing multithreading.

Encryption

When AiLock encrypts a file, it uses two types of threads, Path Traversal Thread and Encryption Thread, to pass the file structure to be encrypted with IOCP back and forth between the threads to attempt to encrypt the file. The algorithm used for encryption is ChaCha20, and the NTRUEncrypt256 algorithm is used to encrypt the metadata of the file before it is encrypted, including the ChaCha20 key. Here’s what each thread does

Figure 2. The overall encryption process

Path Traversal Thread

1. List all files in the path you’ve been given

2. Scan for extensions, files, and directories that are excluded from encryption to identify the files that will eventually be encrypted

Table 2. Encryption Excluded Extension, File, Directory

3. Passes the Encryption File Structure required to encrypt the finally identified file to the Encryption Thread

Table 3. Identified Encryption File Structure

4. Drop ransom note (ReadMe.txt) per targeted directory

Encryption Thread

1. Check the EncryptionState in the received Encryption File Structure and perform each malicious behavior by state.

Table 4. Malicious Behavior by EncryptionState

2. When the file is received for the first time, it checks the file’s metadata start marker (Metadata_Start_marker_B16B00B5), which is byte B5 00 6B B1, and encrypts it at that address with size 0xE0 using the NTRUEncrypt algorithm to create a File Footer, and when the file is encrypted, appends the created File Footer at the end of the file.

Table 5. File Footer StructureFigure 3. File Footer Structure

3. The same as the Verification function, the ChaCha20 algorithm optimized for each CPU is selected to encrypt the file, and the CryptGenRandom() function generates 30 bytes of key and nonce values to be used by the ChaCha20 algorithm, and finally encrypts the file by the EncryptionMode determined by the file size.

Table 6. EncryptionMode by file size

4. When encryption is complete, rename the file’s extension to .AiLock

Logging

Write the parameters used by the ransomware and the paths to be encrypted to the command prompt window, as well as the phrases used to debug the ransomware’s execution, to the command prompt window. Print the bytes used for reading and writing when encrypting files in the title bar.

Figure 4. AiLock Logging

Clear Recycle Bin

As the ransomware operates, it empties the recycle bin via the SHEmptyRecycleBinA() API.

Stop Services & Kill Processes

To encrypt as many files as possible, we stop the specified service via ControlService() and traverse the process list to terminate a specific process via the TerminateProcess() API.

Table 7. Stop and Kill Service/Process List

Mutex

Create a mutex with the string FAUST to prevent duplicate execution.

  • Mutex Name: FAUST

Drive & Network Share Scan

If full is given as the execution argument, the GetLogicalDrives() API will scan and identify all currently mounted drives and perform encryption on the entire path. If the -shares argument is given, it uses the APIs associated with WNet to resolve the paths to network resources connected to the system and passes all files in the paths to the Encryption Thread.

Change Background & File Icon

Drop a tmp.ico file in the %TEMP% path to be used as an icon for encrypted files. The file will be used as an icon for the encrypted files, and files with the .AiLock extension will be set as tmp.ico icons through the registry.

  • Registry Key Path: HKCR/.AiLock/DefaultIcon
  • Value: %Temp%/tmp.ico

It also uses the SystemParameterInfoW() API to change the desktop, changing the image, and then changing the desktop option settings through the registry.

  • Registry Key Path: HKCU/Control Panel/Desktop/TileWallpaper
  • Value: 0
  • Registry Key Path: HKCU/Control Panel/Desktop/WallpaperStyle
  • Value: 0
Figure 5. Changed File Icon & Background (Left: File icon / Right: Wallpaper)

Self Delete

If the -del parameter is used, the self-deletion process will proceed. The commands to self-delete are

  • Command: cmd.exe /C ping 127.0.0.1 & del [Malware Path]

Conclusion

  • The AiLock ransomware group first appeared in March 2025 and has been active since, with two victims uploaded to the DLS.
  • Since the discovery of the negotiation site and file-sharing site, the AiLock ransomware group has moved its infrastructure and opened new leak sites, indicating that it is likely to continue its operations in the future.
  • Therefore, it is deemed necessary to apply detection rules to this group and monitor it on an ongoing basis.

Appendix A. IoCs

IoC list can be found our github

Appendix B. Detection Rules

Detection Rule can be found our github

Appendix C. MITRE ATT&CK

Execution

  • (T1059.003) Windows Command Shell

Privilege Escalation

  • (T1134.001) Token Impersonation/Theft

Defense Evasion

  • (T1480) Execution Guardrails
  • (T1027) Obfuscated Files or Information
  • (T1480.002) Mutual Exclusion

Discovery

  • (T1082) System Information Discovery
  • (T1083) File and Directory Discovery
  • (T1135) Network Share Discovery

Impact

  • (T1486) Data Encrypted for Impact
  • (T1489) Service Stop

Detailed Analysis of AiLock Ransomware was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Detailed Analysis of AiLock Ransomware | by S2W | S2W BLOG | Jul, 2025 | Medium