Nokoyawa Ransomware Uncovered: Its Evolution and Impact | Intel 471 Skip to content

Nokoyawa Ransomware Uncovered: Its Evolution and Impact

May 24, 2023
Homepage Hero

What is Nokoyawa Ransomware?

The Nokoyawa Ransomware variant has been active since its discovery in February 2022, initially exploiting CVE-2023-28252, a privilege escalation vulnerability. The Nokoyawa variant has since evolved in its codebase, notably with a shift to the Rust programming language in September 2022. Initially, Nokoyawa Ransomware exhibited shared code with the Nemty and Karma ransomware families. Its later iteration in Rust showed similarities to the Hive ransomware family in terms of attack chain and tools utilized. The DFIR Report released in May 2023 shed light on threat actors leveraging IcedID for initial access, culminating in the deployment of the Nokoyawa variant in October 2022. The latest version, 1.1, has been deployed via WMI and PsExec, leading to a substantial ~$200,000 ransom in bitcoin.

Decoding the Nokoyawa Ransomware Campaign: How it Operates

Observations of Nokoyawa since early 2022 show its initial exploitation of CVE-2023-28252, a log file system privilege elevation vulnerability, for ransomware payload deployment. A DFIR report spotlighted a Q4 2022 incident involving Nokoyawa, which began with the loading of a malicious IcedID macro on the victim's machine. In this case, initial access was achieved via a malicious Microsoft Excel document delivered through a targeted email campaign. Notably, the campaign preyed on Microsoft Office installations that were out-of-date and did not block document-embedded macros. From initial access to ransomware execution with Nokoyawa, the total timeline spanned around 6 days.

Nokoyawa Deep Dive: A Technical Analysis

Post initial access, the IcedID DLL payload was downloaded and executed using a renamed rundll32 binary, copied and renamed to Calc.exe. The Nokoyawa Ransomware then established persistence by dropping files into the AppData roaming folder and creating a scheduled task set to execute every hour. Following this, IcedID loaded Cobalt Strike beacons, first executed with PowerShell. Soon after, privileges were escalated using the "GetSystem" feature within Cobalt Strike, allowing LSASS memory dumping. The reconnaissance phase followed, involving network scanning, network share browsing, and domain/group enumeration via commands on the Domain Controller, as well as active directory enumeration with tools such as "adget" and "AdFind". To proliferate and move laterally within the environment, the Nokoyawa Ransomware attackers utilized DLL files, WMI commands, and batch files. This paved the way for them to connect to a compromised server with RDP and stage the Nokoyawa Ransomware deployment via abuse of WMI and PsExec. Once access was secured, Nokoyawa was deployed to all domain-joined hosts and executed, resulting in the encryption of files and directories, appended with the ".AWAYOKON" file extension. The ransomware followed a traditional path, deleting volume shadow copies and dropping a ransom note in each directory where files were encrypted.