AiLock Ransomware Emerges with Hybrid Encryption Tactics: ChaCha20 Meets NTRUEncrypt

The cybersecurity landscape has witnessed the emergence of AiLock, a new ransomware-as-a-service (RaaS) threat first uncovered in March 2025.

Initially brought to light by security firm Zscaler, AiLock distinguishes itself with its hybrid encryption methods and multi-stage attack techniques, marking a significant evolution in ransomware tactics.

Although the number of confirmed victims five as of July 4, 2025 remains modest, the group’s aggressive infrastructure changes and continually updated leak sites signal a persistent and adaptable threat requiring vigilant monitoring.

Technical Analysis

AiLock ransomware is engineered in C/C++ and leverages several advanced technical features to maximize its reach and impact.

Upon execution, the malware appends the “.AiLock” extension to encrypted files and deposits a ransom note (“Readme.txt”) in each affected directory.

Central to AiLock’s operation is its use of multithreading via I/O Completion Ports (IOCP), which enables efficient file encryption even across multi-core systems.

Two dedicated threads a path traversal thread and an encryption thread work in tandem: the path traversal thread identifies suitable files for encryption while excluding predefined directories and file types, subsequently passing structured information to the encryption thread.

According to the Report, the encryption thread then carries out the cryptographic operations, utilizing an optimized ChaCha20 algorithm for data and NTRUEncrypt for file metadata and keys.

Of particular note is AiLock’s flexible encryption strategy, which tailors encryption scope depending on file size complete encryption for files under 100MB, and partial encryption for larger files.

Each encrypted file receives a distinct footer containing cryptographic markers and metadata, further complicating decryption efforts.

Lateral Movement

AiLock’s developers employ robust string obfuscation, using XOR operations to disguise command-line instructions and API calls.

All APIs are dynamically resolved at runtime via LoadLibrary and GetProcAddress, enhancing stealth and complicating static analysis.

The malware also verifies its configuration data through hardcoded cryptographic markers and SHA256 hashes, ensuring operational integrity.

The ransomware collects system information such as the number of CPU cores and system time to dynamically scale its multithreaded operations.

In pursuit of maximum impact, AiLock stops services, terminates processes associated with productivity and backup software, and clears the recycle bin to maximize file inaccessibility.

It scans for local and networked drives, encrypts mapped network resources, changes desktop wallpapers, and modifies file icons to further signal the compromise to victims.

Persistence is achieved by creating a mutex (“FAUST”) to prevent multiple executions, and a self-deletion routine is available via command-line parameters to erase evidence post-attack.

Throughout the process, logging is directed to the command prompt for debugging and operational feedback.

AiLock’s operators have demonstrated agility by shifting negotiation and data leak sites, indicating a high degree of operational security and persistence.

The constant expansion of victim postings on their Data Leak Site (DLS) and the discovery of undisclosed leak sites suggest AiLock is intent on broadening its impact.

Given these factors, the ransomware’s technical sophistication, and its ongoing evolution, cybersecurity teams are urged to update detection mechanisms and maintain continuous monitoring to mitigate potential risks.

Indicator of Compromise (IOC) Table

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates