Skip to content
Ransomware group

Ailock

AiLock is a ransomware-as-a-service (RaaS) operation first publicly identified in March 2025.

Profile source: Mallory opens in a new tab

Ailock

Family profile

AiLock is a ransomware-as-a-service (RaaS) operation first publicly identified in March 2025. The group conducts double-extortion campaigns, using a negotiation portal to pressure victims into payment and a data leak site to threaten or publish stolen information. Reporting in 2026 indicates the operation remained active and at times republished data associated with earlier victims, suggesting continuity of extortion activity even as its leak infrastructure evolved.

AiLock has targeted organizations across multiple countries and sectors, including construction, manufacturing, healthcare, education, business services, consumer services, and real estate-related organizations. Observed victims span North America, Europe, and Latin America, indicating broad opportunistic targeting rather than a narrowly defined vertical or regional focus.

The ransomware payload has been analyzed as a C/C++ malware family that appends a distinctive encrypted-file extension and drops ransom notes in affected directories. It uses ChaCha20 for file-content encryption and NTRUEncrypt to protect metadata and encryption material. The malware supports multithreaded encryption using I/O Completion Ports, separates path traversal from encryption logic, and varies encryption behavior by file size, including full encryption for smaller files and partial encryption for larger files to improve speed and impact.

Observed functionality includes dynamic API resolution, XOR-based string obfuscation, configuration decryption and integrity validation, drive and network-share enumeration, service stopping, process termination, recycle-bin clearing, wallpaper and icon modification, mutex-based execution control, and optional self-deletion. Execution has been associated with command-line modes controlling scope, including local file-system traversal and network-share targeting.

AiLock is best characterized as a financially motivated cybercriminal ransomware group rather than a nation-state actor. No high-confidence public attribution to a specific country or government is established in the available information. The group is primarily known under the name AiLock, and no well-established alternate aliases or confirmed sub-groups are evident from the available reporting.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

1 total
  • 2a728d98ae8280efeaa674783181f3fa

Sha256

1 total
  • 3c7c91cd4dc336db8082e07ab7549556f05d80acbc778afc2dade67c02002f69

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.