Threat Research

Nokoyawa Ransomware: Rust or Bust

Securonix

Nokoyawa is a 64-bit Windows-based ransomware family that evolved from an earlier C version to a Rust-based 2.0, introducing a configurable command-line setup and faster encryption. The operation uses double extortion with a TOR-hosted ransom portal and data leak site, indicating ongoing development and affiliate-friendly deployment. #Nokoyawa #Rust #Curve25519 #Salsa20 #Karma #Nemty #Hive #AgendaQilin #RansomExx #BlackCat #ALPHV #TOR #DoubleExtortion

Keypoints

  • Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022
  • The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand
  • Nokoyawa was initially written in the C programming language using Elliptic Curve Cryptography (ECC) with SECT233R1 and Salsa20 for file encryption
  • In September 2022, Nokoyawa was rewritten in the Rust programming language using ECC with Curve25519 and Salsa20 for file encryption
  • The Rust-based Nokoyawa 2.0 provides threat actors with runtime flexibility via a configuration parameter that is passed via the command-line

MITRE Techniques

  • [T1059.003] Command-Line Interface – The malware cannot be executed without command-line arguments; it uses –file, –dir and –config to control execution. Quote: “The command-line arguments –file (to encrypt a single file) and –dir (to encrypt a directory) are identical to the previous version of Nokoyawa. However, Nokoyawa 2.0 requires a configuration file to execute the ransomware via the –config command-line argument.”
  • [T1132] Data Encoding – The configuration parameter is a Base64 encoded JSON object used to configure the ransomware. Quote: “The configuration parameter is a Base64 encoded JSON object that has the following keys and values shown in Table 1.”
  • [T1486] Data Encrypted for Impact – Nokoyawa 2.0 encrypts files with Salsa20 and uses a 40-byte footer containing a 32-byte ephemeral key and an 8-byte nonce. Quote: “as shown in Figure 2, the 32-byte ephemeral public key (blue) and the 8-byte nonce (red) are appended as a 40-byte footer at the end of the encrypted file.”
  • [T1041] Exfiltration – The threat group performs double extortion by exfiltrating sensitive information before encryption. Quote: “The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand”
  • [T1090.003] Multi-hop Proxy – The ransom notes link to a TOR hidden service hosting the ransom portal and leak site. Quote: “Nokoyawa ransom notes contain a link to a TOR hidden service as shown in Figure 4.”

Indicators of Compromise

  • [SHA256] Nokoyawa Rust sample – 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6
  • [SHA256] Nokoyawa Rust sample – 47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12
  • [SHA256] Nokoyawa Rust sample – 259f9ec10642442667a40bf78f03af2fc6d653443cce7062636eb750331657c4

Read more: https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust