Threat Research

Nevada Ransomware: Yet Another Nokoyawa Variant

Securonix

Zscaler ThreatLabz analyzed Nevada, a Rust-based variant of Nokoyawa ransomware, noting strong code similarities across Nokoyawa versions and two parallel branches in different languages. The findings describe hardcoded and CLI-configured encryption, shadow-copy deletion, and anti-analysis features used to evade detection. #Nevada #Nokoyawa #ThreatLabz #Rust #Curve25519 #Salsa20

Keypoints

  • Nevada ransomware was advertised in criminal forums in December 2022 as part of a new ransomware-as-a-service affiliate program.
  • Nevada is written in the Rust programming language with support for Linux and 64-bit versions of Windows.
  • Zscaler ThreatLabz identified significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments and encryption algorithms.
  • The Nokoyawa ransomware codebase has been continuously modified with at least four distinct variants (including Nevada) since February 2022.
  • The Nokoyawa threat group appears to operate two parallel code branches written in different programming languages designed to confuse researchers and evade detection.

MITRE Techniques

  • [T1490] Inhibit System Recovery – Deletes Windows Shadow Copies to hinder recovery. “
  • [T1027] Obfuscated/Compressed Files or Information – Obfuscates Windows API function names by resolving each name via CRC32 hash. “
  • [T1059.003] Command-Line Interface – Uses command-line parameters to control encryption targets and config. “
  • [T1082] System Information Discovery – Checks locale/language to avoid CIS-restricted regions. “
  • [T1070.004] File Deletion – Self-deletes the ransomware binary after encryption to erase traces. “

Indicators of Compromise

  • [SHA256] Nokoyawa 1.0 – a32b7e40fc353fd2f13307d8bfe1c7c634c8c897b80e72a9872baa9a1da08c46
  • [SHA256] Nokoyawa 1.1 – 3339ba53e1f05f91dbe907d187489dbaba6c801f7af6fd06521f3ba8c484ec6c
  • [SHA256] Nokoyawa 2.0 – 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6
  • [SHA256] Nokoyawa 2.1 (Nevada) – 855f411bd0667b650c4f2fd3c9fbb4fa9209cf40b0d655fa9304dcdd956e0808

Read more: https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint