[MART] - Daily Diary #467 - Meet Hive Successor: Nokoyawa Ransomware

CTAS-MAT ctas-mat at appgate.com
Thu Mar 10 20:41:08 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/10/2022 - Diary entry #467

Disclosed this month, Nokoyawa Ransomware is a new threat in the ransomware landscape. After being executed in the device, Nokoyawa encrypts files using AES + RSA, appending .NOKOYAWA extension to the encrypted files. A ransom note is dropped on each directory, under the name NOKOYAWA_readme.txt, containing e-mails that can be used to negotiate for the decryptor. Although they don't seem to have a wall-of-shame website, they claim that if the ransom is not paid, the files will be leaked to media.

Nokoyawa Ransowmare share similarities with Hive Ransomware, covered in our Daily Diary #332 and in our Daily Diary #400 after compromising Supernus Pharmaceuticals. Besides sharing strings, in both Nokoyawa and Hive attacks Colbalt Strike beacon was used, along with trusted legitimate tools like GMER and PC Hunter for defense evasion and PsExec for lateral movement.

In February 2022, a group of researchers published an article defeating Hive Ransomware encryption, after a vulnerability in the malware's key generation process was discovered, allowing a success rate around 96% to recover the files without paying for the ransom. Nokoyawa Ransomware could be a response to that, with a new encryption procedure to get back on the game.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220310/05c80bff/attachment.htm>

More information about the MART mailing list