Skip to content
Ransomware group

Nokoyawa

Nokoyawa is a ransomware family operated in a ransomware-as-a-service ecosystem and linked in reporting to historical RaaS operations including Nemty, Nemty X, Karma, and JSWORM.

Profile source: Mallory opens in a new tab

Nokoyawa

Family profile

Nokoyawa is a ransomware family operated in a ransomware-as-a-service ecosystem and linked in reporting to historical RaaS operations including Nemty, Nemty X, Karma, and JSWORM. Reporting also links Nokoyawa to the aliases and personas around “salfetka,” “rinc,” and “farnetwork,” and to Volodymyr Tymoshchuk, who has been associated with JSWORM, Karma, Nemty, and Nokoyawa ransomware platforms. Microsoft reporting states that DEV-0237 routinely deployed Nokoyawa in May 2022 after previously experimenting with it when not using Hive.

Observed Nokoyawa intrusions show rapid progression from initial access to encryption. In a documented November 2022 case, the intrusion began with a thread-hijacked phishing email delivering a malicious HTML smuggling attachment, which downloaded a password-protected ZIP containing an ISO. User interaction with a LNK file in the mounted ISO executed an IcedID DLL via a renamed rundll32 binary. IcedID established persistence through a scheduled task, performed host and domain discovery, and downloaded follow-on payloads from attacker infrastructure including trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, and IPs 5.255.103[.]16:443 and 5.8.18[.]242:443. About three hours after IcedID execution, operators deployed Cobalt Strike, accessed LSASS memory, used valid accounts and RDP for lateral movement, ran AdFind and SessionGopher for Active Directory and credential discovery, and used SoftPerfect netscan.exe before staging ransomware.

In that case, the attackers copied the Nokoyawa binary as k.exe and a batch file p.bat across the environment using SMB, WMIC, and PsExec, then remotely created a service named mstdc to execute the batch file as SYSTEM. Nokoyawa was executed on a domain controller and other hosts roughly 12 hours after initial infection. The ransomware configuration was set to encrypt network resources, load hidden drives, and delete volume shadow copies. It excluded common system directories including Windows, Program Files, Program Files (x86), AppData, ProgramData, and System Volume Information, and excluded extensions such as .exe, .dll, .ini, .lnk, and .url from encryption.

High-confidence infrastructure and host artifacts mentioned in reporting include the hostname WIN-5J00ETD85P5, the service name mstdc, the staged ransomware filename k.exe, and associated delivery and C2 infrastructure trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, 5.255.103[.]16:443, and 5.8.18[.]242:443. Reporting attributes the malware distribution in the November 2022 intrusion to TA551 and the hands-on-keyboard activity to Microsoft-tracked Storm-0390, managed by Periwinkle Tempest.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • AdFind
  • SoftPerfect NetScan

Exfiltration

  • FileZilla

LOLBAS

  • PsExec

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk

Reported operators

Threat actors

2 named in public reporting
WIZARD SPIDER

In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive.

Storm-0390

Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller... The time to ransomware (TTR) was just over 12 hours from the initial infection.

MITRE ATT&CK

Nokoyawa in ATT&CK

5 distinct techniques

Reporting

Research mentioning Nokoyawa

Jun 17
Acronis

From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.

Mar 6
Australian Acsc

INC Ransom Affiliate Model Enabling Targeting of Critical Networks | Cyber.gov.au

"...historical RaaS operations Nemty, Nemty X, Karma and Nokoyawa."

Sep 15
The Hacker News

⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More

In 2023, Group-IB also linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs.

Sep 10
Risky Biz Rss

Risky Bulletin: US charges major ransomware figure

Tymoshchuk appears to have also been involved with the JSWORM, Karma, Nemty, and Nokoyawa Ransomware-as-a-Service (RaaS) platforms.

Aug 28
Dfir Report

HTML Smuggling Leads to Domain Wide Ransomware - The DFIR Report

Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller... The time to ransomware (TTR) was just over 12 hours from the initial infection.

May 9
Microsoft General

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.