Nokoyawa

Malware updated a month ago (2024-11-29T13:32:41.430Z)
Download STIX
Preview STIX
Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, among others. This malicious software has been utilized by threat actors to exploit and damage computer systems, often leading to data theft, disruption of operations, or holding data hostage for ransom. The malware has also been linked to notable ransomware groups like Bashful Scorpius (aka Nokoyawa) and Ambitious Scorpius (aka ALPHV/BlackCat) in 2023. Throughout 2023, Nokoyawa and its related ransomware strains expanded their reach through affiliations with several other malware families, including BlackBasta ransomware, Minodo, Diceloader, a new malware family named Canyon, Aresloader, and the information stealers Vidar and LummaC2. Security experts have suggested potential links between Nokoyawa and Russian-linked ransomware groups due to similarities in encryption techniques. Furthermore, Nokoyawa was one of the malware types exploited by multiple ransomware groups, including Akira, Clop, LockBit, and others, leveraging zero-day vulnerabilities. The Nokoyawa ransomware group notably exploited a Windows Common Log File System zero-day, identified as CVE-2023-28252, as reported by Kaspersky in April 2023. Other offshoots of Nokoyawa include ESXiArgs, which targeted VMware hypervisors, and Rorschach, a mix of different ransomwares that appeared in April 2023. The malware has also been linked to the activities of ransomware groups Hive and Play, suggesting a potential affiliation. As of now, Nokoyawa continues to pose a significant cybersecurity threat due to its widespread use and evolving strategies.
Description last updated: 2024-09-10T13:17:06.983Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cobaltstrike is a possible alias for Nokoyawa. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct
3
Jsworm is a possible alias for Nokoyawa. JSWorm is a type of malware, specifically ransomware, that was active from 2019 to 2021. This malicious software was developed and operated by a threat actor known as 'farnetwork', who has used various aliases including farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit. Farnetwork gai
3
IcedID is a possible alias for Nokoyawa. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
2
Cactus is a possible alias for Nokoyawa. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Extortion
Ransom
Zero Day
RaaS
Botnet
Windows
Kaspersky
Payload
Cybercrime
Encryption
Exploits
Encrypt
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Farnetwork Malware is associated with Nokoyawa. Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercriminais related to
5
The Clop Malware is associated with Nokoyawa. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinis related to
4
The Droxidat Malware is associated with Nokoyawa. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility cis related to
3
The Conti Malware is associated with Nokoyawa. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personais related to
3
The Hive Malware is associated with Nokoyawa. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagis related to
2
The Snatch Malware is associated with Nokoyawa. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, incis related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Nokoyawa. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
3
The Hive Ransomware Threat Actor is associated with Nokoyawa. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, eUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-28252 Vulnerability is associated with Nokoyawa. CVE-2023-28252 is a critical Elevation of Privilege vulnerability, affecting the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while investigating zero-day vulnerabilities in Windows aimed at preventing user attacks. The vulnerability presents a signhas used
3
Source Document References
Information about the Nokoyawa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
3 months ago
BankInfoSecurity
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
BankInfoSecurity
a year ago
Securelist
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago