Ransomware - Nokoyawa

Nokoyawa
Aliases
Noko
UserName
UserNamme
Decryptor Available
No
Description

Nokoyawa was first observed in February 2022, and researchers from Trend Micro initially thought it was related to Hive ransomware. FortiGuard Labs also observed examples of code reuse from Babuk ransomware, which had its source code leaked in September 2021. As such, ransomware authors have leveraged some of its capabilities. Shortly after those discoveries, in April 2022, researchers from SentinelLabs rebuked Trend Micro's claims that it was related to Hive. Rather, they discovered it was most closely related to the Karma (Nemty) ransomware.

Nokoyawa is unique in that it uses a rarely observed Elliptic Curve Cryptography (ECC) encryption routine. Specifically, the SECT233R1 curve (ECC-SECT233R1), also known as NIST B-233. The ransomware encrypts each file using Salsa20 symmetric encryption and combines it with the asymmetric ECC-SECT233R1. Unsurprisingly, after encryption, the ransomware appends a self-titled file extension of <file name>.NOKOYAWA.

The ransomware operators are believed to have breached several organizations across the globe, including the United States, Brazil, Romania, Singapore, and even Saint Kitts and Nevis. Upon publishing their data leak site (DLS) on the dark web, the first alleged victim publicly denied they were breached on Twitter. So, it's uncertain if the first victim on the list below is truly a victim or if they were lying on Twitter to save face. However, the group continued to leak victims on their site. Interestingly, some of the ransom notes for some victims included links to another ransomware group - Snatch. One of the victims was even posted on both group's data leak sites. Although, we are uncertain of the two group's relationship, if any.

Nokoyawa has several subsequent variants, including Nokoyawa 1.1, Nokoyawa 2.0, and Nevada (Nokoyawa 2.1). Nokoyawa 1.1 added a few new features for ransomware operators. Version 2.0 was written in Rust and added more capabilities than before. Then, the authors changed their name to Nevada but kept the Rust programming language for development. It appears that the group has two concurrent encryptors in development, one in C/C++ and the other in Rust.

Incredibly in-depth analysis from The DFIR Report provides insight into how the operators of Nokoyawa function once in a victim's network (see references below). Not to mention how they get initial access as well. The Nokoyawa operators appear to leverage well-known malware droppers such as IcedID and combine them with the most successful avenue of initial access - phishing campaigns. Once in a network, they leverage common hacking tools such as Cobalt Strike to carry out remote commands, persistence, and eventually, encryption coupled with exfiltration.

Ransomware Type
Crypto-Ransomware
HumOR
Country of Origin
Russia
First Seen
Threat Actors
Typ
Actor
Cybergroup
Traveling Spider
IAB
TA551
Affiliate
DEV-0237
Affiliate
ShadowSyndicate
Extortion Types
Direct Extortion
Double Extortion
Extortion Amounts
Amount
$700,000
$1,500,000
Communication
Encryption
Type
Hybrid
Files
Salsa20
Key
ECC-SECT233R1
File Extension
<file name>.NOKOYAWA
Ransom Note Name
NOKOYAWA_readme.txt
304e01db6da020fc1e0e02fdaccd60467a9e01579f246a8846dcfc33c1a959f8
418c1421c2424f152d83aa6886c15c42dd9947b63fcd4544a679eb0477d40dab
86953a6ce9fb7bf8b7791b9c6b751120c35ee1df5590ba4ff447e21c29259e51
a32b7e40fc353fd2f13307d8bfe1c7c634c8c897b80e72a9872baa9a1da08c46
e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab
Industry Sector Land Extortion Date Amount (USD)
Information TechnologyAustralia
Information TechnologyUnited Kingdom
UtilitiesPhilippines
AutomotiveUnited States
EducationUnited States
GovernmentUnited States $700,000
UtilitiesUnited States
GovernmentFrance
Professional ServicesUnited States
InsuranceUnited States
Construction & ArchitectureGermany
EducationUnited Kingdom
Healthcare & MedicineBrazil
Healthcare & MedicineCanada
Healthcare & MedicineAustralia
Distribution & LogisticsUnited Kingdom
Healthcare & MedicineUnited States
Healthcare & MedicineUnited States
Professional ServicesUnited States
AutomotiveMorocco
EducationUnited States
EducationUnited States
EducationSaint Kitts and Nevis
Professional ServicesRomania
Information TechnologyUnited States
Distribution & LogisticsUnited States
Healthcare & MedicineUnited States
Construction & ArchitectureCanada
Construction & ArchitectureUnited States
Oil & GasSingapore
ReligionUnited States
Healthcare & MedicineUnited States
Healthcare & MedicineUnited States
UtilitiesUnited States
ReligionUnited States
Construction & ArchitectureUnited States