ReversingLabs’ YARA detection rule for Nokoyawa can help you find this ransomware in your environment.
ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.
In this series, we break down some of the threats behind our YARA detection rules and help your organization to detect them within your environment.
Nokoyawa: a ransomware researchers disagree on
Discovered by multiple researchers in early 2022, Nokoyawa is a ransomware that threat researchers assert has stemmed from other ransomware types and was created with publicly available code. However, multiple threat research teams have different understandings of how this ransomware was created and what threat actors it’s related to, based on each group’s research and findings.
Generally speaking, Nokoyawa functions as a fairly basic ransomware, and researchers across the board believe that it wasn’t made with unique and highly advanced technical skills. Fortinet provided a blog post of their researchers’ findings over at FortiGuard. They share that the ransomware runs exclusively on 64-bit Windows systems, and if no argument is provided, the ransomware encrypts local files within the target environment immediately. Files encrypted are then tagged with the .NOKOYAWA extension.
Also providing details of Nokoyawa is Trend Micro. In their blog post, they assert that the Nokoyawa ransomware is possibly related to Hive ransomware, a different strain. Hive is considered to be one of the most notable forms of ransomware from 2021, breaching over 300 organizations in just four months.
Trend Micro’s reason for believing that there is a connection between these two ransomware strains is that they share “striking similarities” in their attack chain. Similarities include the use of Cobalt Strike in the arrival phase of attack, the abuse of legitimate tools such as anti-rootkit scanners, as well as the information gathering and lateral deployment processes. The additional evidence Trend Micro uses to back its conclusions is a Nokoyawa IP address that shows the two ransomware strains having the same infrastructure.
However, researchers at SentinelLabs, a part of SentinelOne, assert based on their independent research of Nokoyawa that the ransomware is not related to Hive. Instead, they believe Nokoyawa serves as a variant of Karma (also known as Nemty) ransomware. SentinelLabs discovered samples proving this in February of 2022, and they shared that their analysis of these samples “contradicts” Trend Micro’s finding, and they “assess Nokoyawa is clearly an evolution of Karma (Nemty), bearing no major code similarities to Hive.”
FortiGuard researchers are also in agreement with SentinelLabs that Nokoyawa is a newer variant of Karma. FortiGuard was also able to assert based on the samples they analyzed that the threat actors who wrote Nokoyawa copied publicly available code verbatim. One example they shared is Nokoyawa using the same code as Babuk ransomware, which was leaked back in September 2021.
Nokoyawa in its current state has been updated from a previous version by the threat actors who created it, which researchers were able to pinpoint by comparing samples found in both 2021 and 2022.
In its original version, and when encrypting files on a target’s local network, Nokoyawa creates multiple threads for encrypting, with the purpose of generating greater speed and efficiency in the takeover process. Regarding decryption keys, Nokoyawa was designed to make it difficult for one victim to use another victim’s decryptor key, because each victim is linked to a seperate “master” key pair, according to FortiGuard.
In FortiGuard’s assessment of newer Nokoyawa samples found in April of 2022, 3 new features were found, which they believe were implemented by the threat actor to maximize the number of files that can be encrypted by Nokoyawa. FortiGuard also asserts that other ransomware families have already employed these features, pushing them to believe that the Nokoyawa threat actors are trying to keep up with other cyber criminals and their techniques.
Nokoyawa ransomware can impact Microsoft Office applications, email clients, browsers, backup programs, security products and database servers, according to FortiGuard. Its capabilities are the same as Babuk’s, further showing that Nokoyawa threat actors copied the previous ransomware’s source code.
An additional change to Nokoyawa, cited by both FortiGuard and SentinelLabs, shows that the ransom notes, as well as the communications between victims and attackers, have changed considerably. Victims were instructed previously to email the attackers, but the newer version of the ransom note instructs victims to use a .onion URL via a TOR browser instead. FortiGuard was also able to show screenshots of a conversation between a possible victim and the Nokoyawa threat actor, which show a change in how the threat actor is demanding the ransom.
Regarding Nokoyawa’s victims, Trend Micro believes that most of the threat actor’s targets have been located in South America, most often in Argentina. SentinelLabs and FortiGuard did not share victim details in their blogs.
To protect your environment, it is crucial to detect Nokoyawa infections before the threat actor has a chance to execute the malware.
ReversingLabs’ Nokoyawa YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.
Download the Nokoyawa YARA Rule here:
To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.
The Work Doesn’t Stop Here
ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.
- Yara Rules