Ailock
Known to be a RaaS
Description
AiLock is a Ransomware-as-a-Service (RaaS) group first identified in March 2025. It employs a double-extortion approach—encrypting files and threatening to report breaches to regulators or share stolen data with competitors if the ransom isn’t paid. Victims have just 72 hours to respond and up to five days to pay; failure to pay results in data leaks and destruction of recovery tools. The ransomware appends the extension .AiLock to encrypted files, changes file icons to a green padlock with the “AiLock” name, and replaces the desktop wallpaper with a distinctive robot-skull logo. It employs a hybrid encryption scheme, combining ChaCha20 for file encryption with NTRUEncrypt for securing metadata, and uses a multi-threaded design (path-traversal and encryption threads with IOCP) for efficiency. While active campaigns and leak sites are confirmed, specific sectors, regions, and intrusion methods remain undisclosed in public sources.
External Analysis |
https://www.fortra.com/blog/ailock-ransomware |
https://gbhackers.com/ailock-ransomware-emerges-with-hybrid-encryption-tactics/ |
https://medium.com/s2wblog/detailed-analysis-of-ailock-ransomware-1d3263beff15 |
https://s2w.inc/en/resource/detail/871 |
File servers |
Screen |
http://vnsggttwhcofyeh3nxoynxtg5mk5xl4cd7e3c4x62aqb2rj4rfjh3eqd.onion |
Screen |
Chat servers |
Screen |
http://jaawqs6wu56n2adj7qrjg25dhcux2nislvjouffpzldj23e4y72akoid.onion |
Screen |