AiLock Ransomware Emerges with Hybrid Encryption Tactics: ChaCha20 Meets NTRUEncrypt
The AiLock ransomware organization, which Zscaler first discovered in March 2025, has become a powerful force in the ransomware-as-a-service (RaaS) market, which is a frightening trend for cybersecurity professionals.
This malicious entity operates with a sophisticated structure, leveraging both a negotiation site to extract ransoms from victims and a Data Leak Site (DLS) to threaten the release of stolen data.
As of July 4, 2025, five organizations have fallen prey to this group, with expectations of more victims being listed on their DLS.
According to the Report, The S2W Threat Intelligence Center has analyzed samples of AiLock ransomware, revealing intricate technical details that underscore the group’s advanced approach to file encryption and system compromise.
With their infrastructure continuously evolving evident in changing negotiation and leak sites AiLock poses a persistent threat that demands rigorous monitoring and robust detection strategie
Hybrid Encryption
AiLock ransomware, coded in C/C++, employs a dual-threaded mechanism for file encryption, utilizing I/O Completion Ports (IOCP) to manage operations efficiently.
The Path Traversal Thread maps out target files, filtering out specific extensions and directories to avoid, while the Encryption Thread handles the actual encryption process based on a predefined EncryptionState.
What sets AiLock apart is its hybrid encryption model: it uses the ChaCha20 algorithm for file content encryption, optimized for different CPU architectures, and the NTRUEncrypt algorithm to secure metadata, including the ChaCha20 key.
The encryption strategy varies by file size full encryption for files under 100MB, and partial encryption for larger files up to and beyond 1GB maximizing speed without sacrificing impact.
Post-encryption, files are appended with the .AiLock extension and a ransom note titled Readme.txt is dropped in affected directories.
Additionally, AiLock obfuscates critical strings via XOR operations, dynamically resolves APIs using LoadLibrary() and GetProcAddress(), and verifies configurations with SHA256 hashes and specific markers like DE AD BA BE.
The ransomware doesn’t stop at encryption; it disrupts systems further by stopping services, killing processes, emptying the Recycle Bin, altering desktop wallpapers, and changing file icons via registry modifications.
If executed with specific parameters like -del, it even initiates self-deletion to cover its tracks.
A Persistent and Evolving Menace
AiLock’s operational tactics reveal a group intent on long-term disruption. It targets both local drives and network shares, scanning for connected resources to maximize damage.
A mutex named FAUST prevents multiple instances from running simultaneously, while logging mechanisms output encryption details to the command prompt for debugging.
The group’s ability to adapt is evident in their shifting infrastructure, with new leak sites emerging since their initial discovery.
With such resilience, AiLock is poised to remain a significant cyber threat, necessitating continuous vigilance, updated detection rules, and proactive defense measures to mitigate its impact on organizations worldwide.
Indicators of Compromise (IOC)
| Category | Details |
|---|---|
| File Extension | .AiLock |
| Ransom Note | Readme.txt |
| Mutex Name | FAUST |
| Registry Key (Icon) | HKCR/.AiLock/DefaultIcon |
| Registry Key (Wallpaper) | HKCU/Control Panel/Desktop |