Nokoyawa Ransomware

Chris Swagler | March 11th, 2022


Recently, it was discovered that relatively unknown ransomware known as the Nokoyawa ransomware is possibly connected to Hive. One of the most well-known ransomware families of 2021, Hive ransomware, made waves in the second half of the year breaching over 300 companies in just four months bringing the group millions in profit. Researchers discovered the two families share significant similarities in their attack chain, from the tools utilized to the order in which various steps are executed. The majority of the Nokoyawa ransomware targets are currently in South America.

Nokoyawa Ransomware Possible Connection To Hive

Some of the indicators observed by a cybersecurity company being used by both Nokoyawa and Hive include utilizing Cobalt Strike for the arrival phase of the attack and deploying legitimate but often exploited tools like the anti-rootkit scanners GMER and PC Hunter for defense evasion. Information gathering and lateral deployment are also similar. Other tools including NirSoft and MalXMR miner are reportedly used by Hive ransomware operators to boost their attack capabilities depending on the victim environment. According to the cybersecurity company’s findings, the Nokoyawa ransomware uses the same tactics as its victims. They observed the ransomware employing various tools, including Mimikatz, Z0Miner, and Boxter. Additionally, they discovered evidence the two ransomware families share infrastructure based on one of Nokoyawa’s IP addresses. Even though they’re certain how Nokoyawa infects its victims, given its similarities to Hive, it’s likely that it uses similar delivery tactics like phishing emails.

Looking into each individual step, the connections may not be obvious; for example, Cobalt Strike is a popular post-exploitation tool preferred by numerous ransomware groups. However, when looking at the big picture, it’s evident that the two ransomware families are linked. According to the information acquired, Hive ransomware operators are likely to have switched to another ransomware family.

As new ransomware groups, including the Nokoyawa ransomware, emerge with possible connections to other prolific ransomware groups, it’s important for companies to always remain vigilant of the current threat landscape and regularly update their network security software. At SpearTip, our certified engineers specialize in incident response capabilities and handling breaches with one of the fastest response times in the industry. Our engineers are continuously monitoring companies’ networks at our 24/7/365 Security Operations Centers for potential ransomware threats like Nokoyawa and Hive. The best way for companies to remain ahead of current threats is by being proactive in their network security infrastructure and posture. ShadowSpear, our endpoint detection and response platform, is an excellent proactive tool and unparalleled resource that optimizes visibility and integrates with cloud, network, and endpoint devices providing an extra layer of network security in preventing ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.