Discovery Enum
- AdFind
- SoftPerfect NetScan
Nokoyawa is a ransomware family operated in a ransomware-as-a-service ecosystem and linked in reporting to historical RaaS operations including Nemty, Nemty X, Karma, and JSWORM.
Profile source: Mallory opens in a new tabNokoyawa
Nokoyawa is a ransomware family operated in a ransomware-as-a-service ecosystem and linked in reporting to historical RaaS operations including Nemty, Nemty X, Karma, and JSWORM. Reporting also links Nokoyawa to the aliases and personas around “salfetka,” “rinc,” and “farnetwork,” and to Volodymyr Tymoshchuk, who has been associated with JSWORM, Karma, Nemty, and Nokoyawa ransomware platforms. Microsoft reporting states that DEV-0237 routinely deployed Nokoyawa in May 2022 after previously experimenting with it when not using Hive.
Observed Nokoyawa intrusions show rapid progression from initial access to encryption. In a documented November 2022 case, the intrusion began with a thread-hijacked phishing email delivering a malicious HTML smuggling attachment, which downloaded a password-protected ZIP containing an ISO. User interaction with a LNK file in the mounted ISO executed an IcedID DLL via a renamed rundll32 binary. IcedID established persistence through a scheduled task, performed host and domain discovery, and downloaded follow-on payloads from attacker infrastructure including trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, and IPs 5.255.103[.]16:443 and 5.8.18[.]242:443. About three hours after IcedID execution, operators deployed Cobalt Strike, accessed LSASS memory, used valid accounts and RDP for lateral movement, ran AdFind and SessionGopher for Active Directory and credential discovery, and used SoftPerfect netscan.exe before staging ransomware.
In that case, the attackers copied the Nokoyawa binary as k.exe and a batch file p.bat across the environment using SMB, WMIC, and PsExec, then remotely created a service named mstdc to execute the batch file as SYSTEM. Nokoyawa was executed on a domain controller and other hosts roughly 12 hours after initial infection. The ransomware configuration was set to encrypt network resources, load hidden drives, and delete volume shadow copies. It excluded common system directories including Windows, Program Files, Program Files (x86), AppData, ProgramData, and System Volume Information, and excluded extensions such as .exe, .dll, .ini, .lnk, and .url from encryption.
High-confidence infrastructure and host artifacts mentioned in reporting include the hostname WIN-5J00ETD85P5, the service name mstdc, the staged ransomware filename k.exe, and associated delivery and C2 infrastructure trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, 5.255.103[.]16:443, and 5.8.18[.]242:443. Reporting attributes the malware distribution in the November 2022 intrusion to TA551 and the hands-on-keyboard activity to Microsoft-tracked Storm-0390, managed by Periwinkle Tempest.
Ransomware.live
Reported operators
In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive.
Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller... The time to ransomware (TTR) was just over 12 hours from the initial infection.
MITRE ATT&CK
Reporting
security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.
"...historical RaaS operations Nemty, Nemty X, Karma and Nokoyawa."
In 2023, Group-IB also linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs.
Tymoshchuk appears to have also been involved with the JSWORM, Karma, Nemty, and Nokoyawa Ransomware-as-a-Service (RaaS) platforms.
Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller... The time to ransomware (TTR) was just over 12 hours from the initial infection.
In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.