The Nokoyawa Ransomware is a mostly unknown threat, but that in no way means that it is less destructive than other, more notorious ransomware threats. Once it has managed to infiltrate the targeted computers, Nokoyawa will engage its encryption routine and lock numerous important file types found on the devices. So far, cybersecurity researchers have not found any indication that the operators of Nokoyawa are using double-extortion techniques in their threatening attacks. In practice, this means that the hackers do not collect information from the breached devices that they may then threaten to make publicly available if the victims decide not to pay the demanded ransom. Most of the identified Nakoyawa victims are located in South America, and more specifically, in Argentina.
According to a report released by the researchers, in its encryption process, Nakoyawa uses BCryptGenRandom API and generates a new value for each targeted file. It also utilizes a hardcoded nonce - 'lvcelcve,' and Salsa to encrypt the victim's data. The used key is then encrypted through an ECDH key pair. However, the discovered Nakoyawa samples did not use a packer, leaving their code strings in the open and easy to analyze.
Connections to the Hive Gang
While studying the threat, the researchers found numerous similarities with the threatening campaigns that deployed the Hive Ransomware threat. The Hive threat was at its peak back in 2021, when it managed to breach over 300 organizations in just four months. Even if just a fraction of the victims paid a ransom to the attackers, that could still leave the hackers with profits in the millions.
The found evidence is sufficient to support the conclusion of a likely connection between the two malware families. Indeed, in both operations, the ransomware payloads were delivered to the breached devices via the use of Cobalt Strike. Afterward, the attackers employed legitimate but often abused tools, such as the anti-rootkit scanner GMER for defense evasion and PC Hunter for data-collection and defense evasion. In both cases, lateral movement within the compromised network was achieved via PsExec. It seems that the Hive operators may have switched to a new malware family, possibly via a RaaS (Ransomware-as-a-Service) scheme, while maintaining most of the same attack infrastructure.