Threat Research

New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse | FortiGuard Labs 

Securonix

Nokoyawa is a Windows ransomware variant that traces its lineage to Karma/Nemty and increasingly reuses publicly available code to expand its capabilities. FortiGuard Labs reports new features such as Babuk-derived process and volume-enumeration code, a TOR-based ransom portal with an onion URL, and a per-file key exchange that improves encryption speed and scope. #Nokoyawa #Babuk #Karma #Nemty #Tor #OnionURL #FortiGuard

Keypoints

  • Nokoyawa is a 64‑bit Windows ransomware variant linked to Karma/Nemty lineage.
  • The new variant reuses code from Babuk to terminate processes and services, aiding encryption by reducing locked files.
  • Each sample uses fresh ECC keypairs and per-file ephemeral keys, deriving a Salsa20 key via ECDH for file encryption.
  • The ransomware encrypts files on all local and network drives, skipping certain extensions and files named with NOKOYAWA.
  • Encrypted files receive a .NOKOYAWA extension and a NOKOYAWA_readme.txt ransom note; a new onion-based ransom portal supports negotiations.
  • Volume shadow copies can be deleted to hinder recovery, and admin privileges are required for several actions; no UAC bypass was observed.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Encrypts files across drives and volumes (both local and networked). “Encrypt files on all drives and volumes (both local and networked)”
  • [T1490] Inhibit System Recovery – Deletes volume snapshots to prevent restoration. “resizing the allocated space for snapshots of volume shadow copies to 1 byte via the DeviceIoControl API using the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE (0x53c028) control code”
  • [T1562.001] Impair Defenses – Terminates processes and services to reduce files locked by other programs. “terminate processes and services to reduce the number of files locked by other programs”
  • [T1071.001] Web Protocols – Uses a Tor onion URL to contact operators and negotiate ransom. “In the Apr 2022 samples, … contact the ransomware operators through a .onion URL via a TOR browser”
  • [T1059.003] Windows Command Shell – Ransomware exposes command line options for execution. “Nokoyawa provides several command line options for customized executions: -help: Print the list of command line options; -network: Encrypt files on all drives and volumes; -file filePath: Encrypt a single file; -dir dirPath: Encrypt all files in specified directory and sub-directories”

Indicators of Compromise

  • [File hash] A32b7e40fc353fd2f13307d8bfe1c7c634c8c897b80e72a9872baa9a1da08c46, 304e01db6da020fc1e0e02fdaccd60467a9e01579f246a8846dcfc33c1a959f8, and 2 more hashes
  • [File name] NOKOYAWA_readme.txt
  • [File extension] .NOKOYAWA
  • [Process name] sql.exe, excel.exe
  • [Service name] vss, sophos

Read more: https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint