✅ Report Title: AiLock Ransomware Analysis Report: Techniques, Tactics, and Indicators

✅ Executive Summary

- The AiLock ransomware group was first identified in March 2025. Like other RaaS (Ransomware-as-a-Service) groups, it conducts negotiations with victims through a dedicated site and threatens to expose stolen data via a leak site.

- Written in C/C++, AiLock appends the extension .AiLock to encrypted files and drops a ransom note titled Readme.txt in the affected directories.

- The ransomware utilizes IOCP (I/O Completion Port) for file encryption, spawning two threads — a Path Traversal Thread and an Encryption Thread — to identify and encrypt target files.

- It employs a combination of ChaCha20 and NTRUEncrypt for encryption, with different methods applied based on file size.

📌 What is AiLock Ransomware?

- First identified in March 2025 when Zscaler published the group’s ransom note, AiLock follows the typical RaaS model, operating both a negotiation site and a Data Leak Site (DLS).

- At the time of discovery, neither the ransomware samples nor the leak site were publicly accessible.

- As of April 10, 2025, two victim organizations had been identified, with more expected to be listed on the DLS over time.

✅ Detection Recommendations and Mitigation

- After the exposure of its negotiation and file-sharing sites, the AiLock group relocated its infrastructure and launched new leak sites, indicating an ongoing and adaptive threat.

- It is critical to apply detection rules specific to AiLock and maintain continuous monitoring to track its evolving tactics and infrastructure.

🧑‍💻 Author: S2W TALON

👉 Read the full report: https://bit.ly/4nxAAZL