Nokoyawa

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, and others. The Nokoyawa ransomware strain has been leveraged by several threat actors and has been linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, Play strains, among others. In 2023, the usage of Nokoyawa expanded to include additional malware families such as BlackBasta ransomware and new malware family dubbed as Canyon. The actor associated with Nokoyawa has been active since July 16, 2022, and has employed post-exploitation tools like Cobalt Strike and Sliver, as well as loaders such as IcedID and Matanbuchus. This actor has exploited zero-day vulnerabilities attributed to cybercrime activities, along with other ransomware groups like Akira, Clop, LockBit, and Nokoyawa. In August 2023, individuals claiming to be associated with a blog denied links with Snatch ransomware, despite victims' data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti. Security experts suggest that Nokoyawa may have links to Russia due to similarities in encryption techniques used with other Russian-linked ransomware groups such as Hive. It's believed that at least ten other ransomware groups have taken Babuk’s code and used it to create spinoff families including Nokoyawa, AstraLocker 2.0, ESXiArgs, Team Daixin, and HelloXD, among others. Notable descendants include strains such as Nokoyawa, which exploited a Windows Common Log File System zero-day, and EXSiArgs, which targeted VMware hypervisors. The Nokoyawa ransomware group has also been found to exploit the CVE-2023-28252 vulnerability.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Jsworm
3
JSWorm is a type of malware, specifically ransomware, that was active from 2019 to 2021. This malicious software was developed and operated by a threat actor known as 'farnetwork', who has used various aliases including farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit. Farnetwork gai
Cobaltstrike
3
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Cactus
2
Cactus is a type of malware, specifically ransomware, that has been implicated in several high-profile cyber-attacks. This malicious software infiltrates systems through deceptive methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Cactus c
IcedID
2
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Akira
1
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Lockbit
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Matanbuchus
1
Matanbuchus is a malicious software (malware) that has been actively used in various cyberattacks since July 16, 2022. Initially identified as part of a malspam campaign by Unit 42 in February 2023, it was believed to be a possible drop from the PikaBot malware. However, subsequent analysis revealed
Helloxd
1
None
Emotet
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
Gozi
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Nefilim
1
Nefilim is a malware, specifically a ransomware, that has been responsible for significant cyber threats globally. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Between 2019 and 2021,
Exsiargs
1
EXSiArgs is a form of malware, specifically a ransomware strain that targets specific vulnerabilities in computer systems. Ransomware is malicious software designed to block access to a computer system until a sum of money is paid. EXSiArgs is one of many threats developed from the leaked Babuk code
Rorschach
1
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Extortion
RaaS
Ransom
Zero Day
Botnet
Exploits
Malware
Encryption
Encrypt
Cybercrime
Payload
Kaspersky
Windows
Rust
Helloxd
flaw
Moveit
Apt
Microsoft
CISA
Locker
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Farnetworkis related to
5
Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina
Clopis related to
4
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Contiis related to
3
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Droxidatis related to
3
DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Hiveis related to
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Snatchis related to
2
Snatch is a type of malware, specifically ransomware, designed to infiltrate systems undetected, often through suspicious downloads, emails, or websites. Once inside the system, it can wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. The Snatch
Hive Ransomware Gangis related to
1
The Hive ransomware gang, a malicious group known for exploiting and damaging computer systems through harmful software, was significantly disrupted by the Federal Bureau of Investigation (FBI) in a series of operations. Six months ago, according to the US Department of Justice (DOJ), the FBI infilt
Diceloaderis related to
1
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Blackbastais related to
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Minodois related to
1
Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Aresloaderis related to
1
AresLoader is a type of malware that was first advertised for sale on the top-tier Russian-language hacking forum XSS in December 2022 by a threat actor named "DarkBLUP". This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emai
Vidaris related to
1
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Lummac2is related to
1
LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
ForestUnspecified
1
Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
NemtyUnspecified
1
Nemty is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It was developed by a cybercriminal group known as farnetwork, which has been active since 2019. Farnetwork has been involved in several ransomware projects, including JSWORM, Nefilim, Karma, an
FarnetworkitUnspecified
1
Farnetworkit, a malicious software or malware, has been active since 2019 under various aliases such as farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetwork. This cybercriminal entity has been involved in several ransomware projects including JSWORM, Karma, Nemty, and Nefilim. Farnetworkit
BabukUnspecified
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
AstralockerUnspecified
1
AstraLocker is a variant of malware, specifically a ransomware that was discovered by researchers from ReversingLabs last year. It is a new strain derived from the Babuk ransomware-as-a-service, which has been used as a basis for several other spinoff families such as Nokoyawa, AstraLocker 2.0, ESXi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Hive RansomwareUnspecified
2
Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
fin11Unspecified
1
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
BianlianUnspecified
1
BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
DarkSideUnspecified
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
QilinUnspecified
1
Qilin, a notable threat actor in the cybersecurity landscape, has been significantly active over the last two years, compromising more than 150 organizations across 25 countries and various industries. Originally evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust
ShadowsyndicateUnspecified
1
ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-28252has used
3
CVE-2023-28252 is a critical Elevation of Privilege vulnerability found in the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while preventing attacks on users, marking it as a zero-day vulnerability. The vulnerability presents a significant risk with
Source Document References
Information about the Nokoyawa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
4 months ago
On the Increase: Zero-Days Being Exploited in the Wild
CERT-EU
10 months ago
ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
6 months ago
And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
Babuk Tortilla ransomware decryptor made available | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
DARKReading
7 months ago
Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days
BankInfoSecurity
7 months ago
Breach Roundup: MongoDB Blames Phishing Email for Breach
Securelist
7 months ago
Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
CERT-EU
7 months ago
Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist
8 months ago
Kaspersky malware report for Q3 2023
CERT-EU
10 months ago
Data breach disclosed by Canadian Nurses Association
CERT-EU
a year ago
The Bug Report – April 2023 by Trellix – Global Security Mag Online
CERT-EU
8 months ago
Play ransomware is now available as Ransomware-as-a-Service
CERT-EU
8 months ago
Threat Intelligence Work Reveals Threat Actor Farnetwork Operations
CERT-EU
8 months ago
From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind
BankInfoSecurity
8 months ago
Breach Roundup: Mr. Cooper Recovers From Hacking Incident
CERT-EU
8 months ago
Prolific ransomware crook spills the beans on several operations
CERT-EU
8 months ago
Ransomware Mastermind Uncovered After Oversharing on Dark Web
DARKReading
8 months ago
Ransomware Mastermind Uncovered After Oversharing on Dark Web