Nokoyawa

Malware updated a month ago (2024-09-10T13:17:46.884Z)

Download STIX

Preview STIX

Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, among others. This malicious software has been utilized by threat actors to exploit and damage computer systems, often leading to data theft, disruption of operations, or holding data hostage for ransom. The malware has also been linked to notable ransomware groups like Bashful Scorpius (aka Nokoyawa) and Ambitious Scorpius (aka ALPHV/BlackCat) in 2023. Throughout 2023, Nokoyawa and its related ransomware strains expanded their reach through affiliations with several other malware families, including BlackBasta ransomware, Minodo, Diceloader, a new malware family named Canyon, Aresloader, and the information stealers Vidar and LummaC2. Security experts have suggested potential links between Nokoyawa and Russian-linked ransomware groups due to similarities in encryption techniques. Furthermore, Nokoyawa was one of the malware types exploited by multiple ransomware groups, including Akira, Clop, LockBit, and others, leveraging zero-day vulnerabilities. The Nokoyawa ransomware group notably exploited a Windows Common Log File System zero-day, identified as CVE-2023-28252, as reported by Kaspersky in April 2023. Other offshoots of Nokoyawa include ESXiArgs, which targeted VMware hypervisors, and Rorschach, a mix of different ransomwares that appeared in April 2023. The malware has also been linked to the activities of ransomware groups Hive and Play, suggesting a potential affiliation. As of now, Nokoyawa continues to pose a significant cybersecurity threat due to its widespread use and evolving strategies.

Description last updated: 2024-09-10T13:17:06.983Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cobaltstrike is a possible alias for Nokoyawa. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct	3
Jsworm is a possible alias for Nokoyawa. JSWorm is a type of malware, specifically ransomware, that was active from 2019 to 2021. This malicious software was developed and operated by a threat actor known as 'farnetwork', who has used various aliases including farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit. Farnetwork gai	3
IcedID is a possible alias for Nokoyawa. IcedID is a prominent malware that has been utilized in various cyber-attacks. It functions as a malicious software designed to infiltrate and damage computer systems, often through suspicious downloads, emails, or websites. Once inside a system, IcedID can steal personal information, disrupt operat	2
Cactus is a possible alias for Nokoyawa. Cactus is a malicious software (malware) known for its destructive capabilities, particularly in the form of ransomware attacks. It primarily infiltrates systems through suspicious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting operations, or	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Clop

Exploit

Extortion

Ransom

Zero Day

RaaS

Botnet

Windows

Kaspersky

Payload

Cybercrime

Encryption

Exploits

Encrypt

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Farnetwork Malware is associated with Nokoyawa. Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina	is related to	5
The Droxidat Malware is associated with Nokoyawa. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c	is related to	3
The Conti Malware is associated with Nokoyawa. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	is related to	3
The Hive Malware is associated with Nokoyawa. Hive is a form of malware, specifically ransomware, that infiltrates computer systems to exploit and damage them. It gained notoriety when it was used by the cybercriminal group Volt Typhoon to exfiltrate NTDS.dit and SYSTEM registry hive data, allowing them to crack passwords offline. This malware	is related to	2
The Snatch Malware is associated with Nokoyawa. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc	is related to	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Nokoyawa. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	3
The Hive Ransomware Threat Actor is associated with Nokoyawa. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, e	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-28252 Vulnerability is associated with Nokoyawa. CVE-2023-28252 is a critical Elevation of Privilege vulnerability, affecting the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while investigating zero-day vulnerabilities in Windows aimed at preventing user attacks. The vulnerability presents a sign	has used	3

Source Document References

Information about the Nokoyawa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	a month ago	Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
BankInfoSecurity	7 months ago	On the Increase: Zero-Days Being Exploited in the Wild
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU	9 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	10 months ago	And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Babuk Tortilla ransomware decryptor made available \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	10 months ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days
BankInfoSecurity	10 months ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
Securelist	10 months ago	Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
CERT-EU	10 months ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist	a year ago	Kaspersky malware report for Q3 2023
CERT-EU	a year ago	Data breach disclosed by Canadian Nurses Association
CERT-EU	a year ago	The Bug Report – April 2023 by Trellix – Global Security Mag Online
CERT-EU	a year ago	Play ransomware is now available as Ransomware-as-a-Service
CERT-EU	a year ago	Threat Intelligence Work Reveals Threat Actor Farnetwork Operations
CERT-EU	a year ago	From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind
BankInfoSecurity	a year ago	Breach Roundup: Mr. Cooper Recovers From Hacking Incident
CERT-EU	a year ago	Prolific ransomware crook spills the beans on several operations
CERT-EU	a year ago	Ransomware Mastermind Uncovered After Oversharing on Dark Web