Ransomware - Nokoyawa

Nokoyawa was first observed in February 2022, and researchers from Trend Micro initially thought it was related to Hive ransomware. FortiGuard Labs also observed examples of code reuse from Babuk ransomware, which had its source code leaked in September 2021. As such, ransomware authors have leveraged some of its capabilities. Shortly after those discoveries, in April 2022, researchers from SentinelLabs rebuked Trend Micro's claims that it was related to Hive. Rather, they discovered it was most closely related to the Karma (Nemty) ransomware.

Nokoyawa is unique in that it uses a rarely observed Elliptic Curve Cryptography (ECC) encryption routine. Specifically, the SECT233R1 curve (ECC-SECT233R1), also known as NIST B-233. The ransomware encrypts each file using Salsa20 symmetric encryption and combines it with the asymmetric ECC-SECT233R1. Unsurprisingly, after encryption, the ransomware appends a self-titled file extension of <file name>.NOKOYAWA.

The ransomware operators are believed to have breached several organizations across the globe, including the United States, Brazil, Romania, Singapore, and even Saint Kitts and Nevis. Upon publishing their data leak site (DLS) on the dark web, the first alleged victim publicly denied they were breached on Twitter. So, it's uncertain if the first victim on the list below is truly a victim or if they were lying on Twitter to save face. However, the group continued to leak victims on their site. Interestingly, some of the ransom notes for some victims included links to another ransomware group - Snatch. One of the victims was even posted on both group's data leak sites. Although, we are uncertain of the two group's relationship, if any.

Nokoyawa has several subsequent variants, including Nokoyawa 1.1, Nokoyawa 2.0, and Nevada (Nokoyawa 2.1). Nokoyawa 1.1 added a few new features for ransomware operators. Version 2.0 was written in Rust and added more capabilities than before. Then, the authors changed their name to Nevada but kept the Rust programming language for development. It appears that the group has two concurrent encryptors in development, one in C/C++ and the other in Rust.

Incredibly in-depth analysis from The DFIR Report provides insight into how the operators of Nokoyawa function once in a victim's network (see references below). Not to mention how they get initial access as well. The Nokoyawa operators appear to leverage well-known malware droppers such as IcedID and combine them with the most successful avenue of initial access - phishing campaigns. Once in a network, they leverage common hacking tools such as Cobalt Strike to carry out remote commands, persistence, and eventually, encryption coupled with exfiltration.