Nokoyawa

Malware updated 4 months ago (2024-05-04T17:05:55.776Z)

Download STIX

Preview STIX

Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, and others. The Nokoyawa ransomware strain has been leveraged by several threat actors and has been linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, Play strains, among others. In 2023, the usage of Nokoyawa expanded to include additional malware families such as BlackBasta ransomware and new malware family dubbed as Canyon. The actor associated with Nokoyawa has been active since July 16, 2022, and has employed post-exploitation tools like Cobalt Strike and Sliver, as well as loaders such as IcedID and Matanbuchus. This actor has exploited zero-day vulnerabilities attributed to cybercrime activities, along with other ransomware groups like Akira, Clop, LockBit, and Nokoyawa. In August 2023, individuals claiming to be associated with a blog denied links with Snatch ransomware, despite victims' data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti. Security experts suggest that Nokoyawa may have links to Russia due to similarities in encryption techniques used with other Russian-linked ransomware groups such as Hive. It's believed that at least ten other ransomware groups have taken Babuk’s code and used it to create spinoff families including Nokoyawa, AstraLocker 2.0, ESXiArgs, Team Daixin, and HelloXD, among others. Notable descendants include strains such as Nokoyawa, which exploited a Windows Common Log File System zero-day, and EXSiArgs, which targeted VMware hypervisors. The Nokoyawa ransomware group has also been found to exploit the CVE-2023-28252 vulnerability.

Description last updated: 2024-03-27T19:15:51.810Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cobaltstrike	3	CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct
Jsworm	3	JSWorm is a type of malware, specifically ransomware, that was active from 2019 to 2021. This malicious software was developed and operated by a threat actor known as 'farnetwork', who has used various aliases including farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit. Farnetwork gai
IcedID	2	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Cactus	2	Cactus is a malicious software (malware) that infiltrates systems to exploit and damage them. This malware, often delivered through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or hold data hostage for ransom. Cactus has been used in several high-pro

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Extortion

Ransom

Zero Day

RaaS

Botnet

Malware

Kaspersky

Payload

Cybercrime

Encryption

Windows

Exploits

Encrypt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Farnetwork	is related to	5	Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina
Clop	is related to	4	Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
Droxidat	is related to	3	DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Conti	is related to	3	Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
Snatch	is related to	2	Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc
Hive	is related to	2	Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Hive Ransomware	Unspecified	2	Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-28252	has used	3	CVE-2023-28252 is a critical Elevation of Privilege vulnerability found in the Windows Common Log File System (CLFS) driver. This flaw was discovered by Kaspersky researchers while preventing attacks on users, marking it as a zero-day vulnerability. The vulnerability presents a significant risk with

Source Document References

Information about the Nokoyawa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	5 months ago	On the Increase: Zero-Days Being Exploited in the Wild
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU	8 months ago	The Top 10 Ransomware Groups of 2023
CERT-EU	8 months ago	And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	Babuk Tortilla ransomware decryptor made available \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	9 months ago	Ransomware Attackers Abuse Multiple Windows CLFS Driver Zero-Days
BankInfoSecurity	9 months ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
Securelist	9 months ago	Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
CERT-EU	9 months ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
Securelist	9 months ago	Kaspersky malware report for Q3 2023
CERT-EU	a year ago	Data breach disclosed by Canadian Nurses Association
CERT-EU	a year ago	The Bug Report – April 2023 by Trellix – Global Security Mag Online
CERT-EU	10 months ago	Play ransomware is now available as Ransomware-as-a-Service
CERT-EU	10 months ago	Threat Intelligence Work Reveals Threat Actor Farnetwork Operations
CERT-EU	10 months ago	From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind
BankInfoSecurity	10 months ago	Breach Roundup: Mr. Cooper Recovers From Hacking Incident
CERT-EU	10 months ago	Prolific ransomware crook spills the beans on several operations
CERT-EU	10 months ago	Ransomware Mastermind Uncovered After Oversharing on Dark Web
DARKReading	10 months ago	Ransomware Mastermind Uncovered After Oversharing on Dark Web