Nokoyawa

Malware updated 2 months ago (2024-09-10T13:17:46.884Z)

Download STIX

Preview STIX

Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, among others. This malicious software has been utilized by threat actors to exploit and damage computer systems, often leading to data theft, disruption of operations, or holding data hostage for ransom. The malware has also been linked to notable ransomware groups like Bashful Scorpius (aka Nokoyawa) and Ambitious Scorpius (aka ALPHV/BlackCat) in 2023. Throughout 2023, Nokoyawa and its related ransomware strains expanded their reach through affiliations with several other malware families, including BlackBasta ransomware, Minodo, Diceloader, a new malware family named Canyon, Aresloader, and the information stealers Vidar and LummaC2. Security experts have suggested potential links between Nokoyawa and Russian-linked ransomware groups due to similarities in encryption techniques. Furthermore, Nokoyawa was one of the malware types exploited by multiple ransomware groups, including Akira, Clop, LockBit, and others, leveraging zero-day vulnerabilities. The Nokoyawa ransomware group notably exploited a Windows Common Log File System zero-day, identified as CVE-2023-28252, as reported by Kaspersky in April 2023. Other offshoots of Nokoyawa include ESXiArgs, which targeted VMware hypervisors, and Rorschach, a mix of different ransomwares that appeared in April 2023. The malware has also been linked to the activities of ransomware groups Hive and Play, suggesting a potential affiliation. As of now, Nokoyawa continues to pose a significant cybersecurity threat due to its widespread use and evolving strategies.

Description last updated: 2024-09-10T13:17:06.983Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cobaltstrike is a possible alias for Nokoyawa. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct	3
Jsworm is a possible alias for Nokoyawa. JSWorm is a type of malware, specifically ransomware, that was active from 2019 to 2021. This malicious software was developed and operated by a threat actor known as 'farnetwork', who has used various aliases including farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit. Farnetwork gai	3
IcedID is a possible alias for Nokoyawa. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	2
Cactus is a possible alias for Nokoyawa. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Extortion

Ransom

Zero Day

RaaS

Botnet

Windows

Kaspersky

Payload

Cybercrime

Encryption

Exploits

Encrypt

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Farnetwork Malware is associated with Nokoyawa. Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina	is related to	5
The Clop Malware is associated with Nokoyawa. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	is related to	4
The Droxidat Malware is associated with Nokoyawa. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c	is related to	3
The Conti Malware is associated with Nokoyawa. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	is related to	3
The Hive Malware is associated with Nokoyawa. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	is related to	2
The Snatch Malware is associated with Nokoyawa. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc	is related to	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Nokoyawa. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	3
The Hive Ransomware Threat Actor is associated with Nokoyawa. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, e	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-28252 Vulnerability is associated with Nokoyawa. CVE-2023-28252 is a critical Elevation of Privilege vulnerability, affecting the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while investigating zero-day vulnerabilities in Windows aimed at preventing user attacks. The vulnerability presents a sign	has used	3

Source Document References

Information about the Nokoyawa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
BankInfoSecurity	8 months ago	On the Increase: Zero-Days Being Exploited in the Wild
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU	10 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	10 months ago	And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Babuk Tortilla ransomware decryptor made available \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days
BankInfoSecurity	a year ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
Securelist	a year ago	Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
CERT-EU	a year ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist	a year ago	Kaspersky malware report for Q3 2023
CERT-EU	a year ago	Data breach disclosed by Canadian Nurses Association
CERT-EU	2 years ago	The Bug Report – April 2023 by Trellix – Global Security Mag Online
CERT-EU	a year ago	Play ransomware is now available as Ransomware-as-a-Service
CERT-EU	a year ago	Threat Intelligence Work Reveals Threat Actor Farnetwork Operations
CERT-EU	a year ago	From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind
BankInfoSecurity	a year ago	Breach Roundup: Mr. Cooper Recovers From Hacking Incident
CERT-EU	a year ago	Prolific ransomware crook spills the beans on several operations
CERT-EU	a year ago	Ransomware Mastermind Uncovered After Oversharing on Dark Web