Nokoyawa Leaks, the official communication channel for the Nokoyawa Ransomware group, re-emerged on the darkweb this week, revealing a list of 24 new victims.
With their latest variant, Nokoyawa 2.0, the group showcases enhanced file encryption capabilities and employs the highly performant Rust programming language.
Nokoyawa Ransomware is not as prolific as its peers ALPHV or LockBit. For that reason, the sudden listing of about two dozen victims has put up red flags. Moreover, the act that it’s a derivative of the Hive ransomware worsens the possible risks.
Operating primarily on 64-bit Windows systems, Nokoyawa ransomware group has gained notoriety for its double extortion tactics, combining data exfiltration with traditional file encryption and ransom demands.
Nokoyawa ransomware group popped up in cybersecurity news recently when researchers at Kaspersky disclosed that perpetrators exploited a zero-day vulnerability in the Windows Common Log File System (CLFS) to deploy the ransomware.
The severity of the situation prompted the Cybersecurity and Infrastructure Security Agency (CISA) to include Windows zero-day CVE-2023-28252 in its list of Known Exploited Vulnerabilities.
Here is what you need to know about the Nokoyawa ransomware group, its origins and mode of operation.
Nokoyawa ransomware group: Origins
The Nokoyawa ransomware group first surfaced in February 2022, built upon the foundation of a 64-bit Windows-based system. Researchers were quick to discover the pugmarks of Hive ransomware all over the new entrant.
In the latter half of 2021, Hive ransomware gained significant attention for its widespread attacks on over 300 organizations within a mere four-month period. This malicious group managed to amass substantial profits, potentially amounting to millions of US dollars.
In March 2022, Trend Micro researchers uncovered a connection between Hive and the lesser-known Nokoyawa ransomware group.
The similarities between the two ransomware families, ranging from the tools utilized to the sequential execution of attack steps, suggest a possible link.
Both groups employ Cobalt Strike during the initial stage of the attack to gain a foothold, noted Trend Micro researchers.
Additionally, they rely on commonly exploited legitimate tools like GMER and PC Hunter, primarily used for anti-rootkit scanning, to evade defensive measures.
“Other steps, such as information gathering and lateral deployment, are also similar,” said the Trend Micro researchers.
Nokoyawa ransomware group: Features
Initially written in the C programming language and utilizing Elliptic Curve Cryptography (ECC) with SECT233R1, the malware targeted organizations through asymmetric encryption and a Salsa20 symmetric key for file encryption.
“In September 2022, Nokoyawa was rewritten in the Rust programming language using ECC with the Curve25519 and Salsa20 for file encryption,” said a Zscaler threat assessment report on the ransomware.
The updated version, Nokoyawa 2.0, introduced runtime flexibility through a command-line configuration parameter, further enhancing the ransomware’s capabilities.
One distinctive feature of Nokoyawa 2.0 is its unique design choice of requiring a full configuration file via the command-line, noted Zscaler researchers.
This approach suggests that the malware authors have tailored the ransomware to cater to multiple threat actors. These affiliates are likely paid to compromise organizations and deploy the ransomware, receiving a percentage of the profits in return.
Encryption algorithms by Nokoyawa
The encryption algorithms employed by Nokoyawa 2.0 combine Curve25519, a popular choice for asymmetric encryption based on the x25519_dalek Rust library, and Salsa20 for symmetric encryption.
Upon execution, Nokoyawa generates an ephemeral Curve25519 key pair. Using a Diffie-Hellman key exchange with the Curve25519 public key passed via the configuration parameter, the ransomware derives a shared secret that serves as the Salsa20 key.
Additionally, the file extension acts as the nonce, which must be eight bytes long. Notably, Nokoyawa efficiently encrypts files by dividing them into blocks and encrypting them in chunks, making the encryption process swift and effective.
The extortion methods of Nokoyawa ransomware group
To communicate its demands, the Nokoyawa ransomware group employs a ransom note, the filename and content of which are passed through the configuration command-line parameter.
“The decision by the Nokoyawa malware author to pass a full configuration file via the command-line is a unique design choice,” said the Zscaler report.
“This is indicative that the malware author has developed the ransomware to be flexible for multiple threat actors who are likely paid as affiliates to compromise organizations and deploy the ransomware in return for a percentage of the profit.”
The sample ransom note of Nokoyawa ransomware group reveals their intent and provides instructions to the victim on how to proceed. Furthermore, the ransom notes include a link to a TOR hidden service, serving as a chat portal where negotiations can take place.
Interestingly, the same TOR hidden service hosts a data leak site. As of now, only one victim is listed on the site, indicating that the Nokoyawa ransomware group may not have compromised a large number of organizations or that the threat actors selectively engage in double extortion attacks, added the Zscaler report.