The Nokoyawa ransomware group has resurfaced on the dark web, listing 24 new victims that have fallen prey to its latest variant – Nokoyawa 2.0. While Nokoyawa is not as active as some of its better-known peers, its sudden listing of two dozen victims has raised red flags. The group is known to employ double extortion tactics, combining data exfiltration with traditional file encryption and ransom demands. The ransomware operates predominantly on 64-bit Windows systems and has been gaining notoriety due to its enhanced file encryption capabilities, along with the use of the highly performant Rust programming language. The act that it is a derivative of the Hive ransomware exacerbates the potential risks.
The Nokoyawa ransomware group was first discovered in February 2022, built upon a foundation of a 64-bit Windows-based system. Researchers discovered that the Hive ransomware left its signature all over this new entrant, indicating a possible link between the two ransomware families. Hive made headlines in late 2021 for its widespread attacks that targeted over 300 organizations in a mere 4-month period. The connections between Hive and Nokoyawa suggest the possibility of a similar attack methodology. Both groups employ Cobalt Strike in the initial stages of the attack to gain a foothold and rely on commonly exploited legitimate tools like GMER and PC Hunter to evade defensive measures.
The updated version of Nokoyawa ransomware now utilizes ECC with the Curve25519 and Salsa20 for file encryption, allowing for greater runtime flexibility through command-line configuration parameters. The unique design choice of requiring a full configuration file via the command-line suggests that the malware authors have tailored the ransomware to cater to multiple threat actors. These affiliates are likely paid to compromise organizations and deploy the ransomware, receiving a percentage of the profits in return.
The encryption algorithms employed by Nokoyawa 2.0 combine Curve25519, a popular choice for asymmetric encryption based on the x25519_dalek Rust library, and Salsa20 for symmetric encryption. The group efficiently encrypts files by dividing them into blocks and encrypting them in chunks, making the encryption process swift and effective. To communicate its demands, the Nokoyawa ransomware group employs a ransom note, the filename, and content of which are passed through the configuration command-line parameter. The malware also includes a link to a TOR hidden service, serving as a chat portal where negotiations can take place, as well as a data leak site. Only one victim has been listed on the latter, indicating that the Nokoyawa ransomware group may not have compromised a large number of organizations or is selectively engaging in double extortion attacks.
As per the Zscaler report, the decision by the Nokoyawa malware author to pass a full configuration file via the command-line is a unique design choice that shows the malware author has developed the ransomware to be flexible for multiple threat actors who are likely paid to compromise organizations and deploy the ransomware in return for a percentage of the profit. The similarities between the Hive and Nokoyawa ransomware families suggest a possible link, and the fact that the Cybersecurity and Infrastructure Security Agency (CISA) has added the Windows zero-day CVE-2023-28252 to its list of Known Exploited Vulnerabilities indicates the severity of the situation.