• Fri. Oct 20th, 2023

The Nokoyawa Ransomware Group: Everything You Should Be Aware of

Avatar photo

ByEsme Greene

Aug 10, 2023
Nokoyawa Ransomware Group: Key Insights
Esme Greene
Latest posts by Esme Greene (see all)

This week, 24 more victims were disclosed by Nokoyawa Leaks, the Nokoyawa ransomware group’s official messaging channel.

Nokoyawa 2.0, the group’s most recent iteration, uses the extremely fast Rust programming language and features improved file encryption capabilities.

The Nokoyawa ransomware group’s history and tactics are provided below for your information.

Ransomware Group Nokoyawa: History

Built on a 64-bit Windows platform, the Nokoyawa ransomware gang initially appeared in February 2022. Researchers quickly identified Hive ransomware pugmarks on the new competitor.

The Hive ransomware, which attacked over 300 companies over the course of just four months in the second half of 2021, attracted a lot of attention. This evil organization was able to gather significant revenues, maybe in the millions of US dollars.

Researchers from Trend Micro discovered a link between Hive and the less well-known Nokoyawa ransomware organization in March 2022.

The Similarities

A likely connection is suggested by the similarities between the two ransomware families, which range from the tools used to the order in which the assault actions are carried out.

Researchers from Trend Micro have observed that both organizations use Cobalt Strike to establish a footing during the early phase of the attack.

In order to avoid countermeasures, they also rely on legal, often abused technologies like PC Hunter and GMER, which are primarily intended for anti-rootkit scanning.

Ransomware Group Nokoyawa: Features

The virus was first created in C and used Elliptic Curve Cryptography (ECC) with SECT233R1 to attack businesses using asymmetric encryption and files encrypted with a Salsa20 symmetric key.

Nokoyawa 2.0, the revised version, improved the ransomware’s capabilities by introducing runtime flexibility through a command-line configuration option.

Researchers from Zscaler highlighted that Nokoyawa 2.0 has a unique design decision that requires a whole configuration file to be entered via the command line.

According to this strategy, the ransomware has been specifically designed to appeal to a variety of threat actors. These affiliates are probably compensated with ransomware earnings for breaking into businesses and deploying it.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.