Nokoyawa Ransomware Group
| Actor Type | Criminal Group |
|---|
This intrusion set is responsible for the development of the Nokoyawa strain of ransomware. The ransomware has been observed in use against victims since at least February 2022.
Researchers at SentinelOne suggest that the intrusion set is also linked to Nemty ransomware and another strain known as Karma. Kaspersky notes that the ransomware lineage can be traced back further to JSWorm ransomware which was discovered in April 2019.
In February 2023 Kaspersky analysts identified Nokoyawa being deployed by threat actors who exploited CVE-2023-28252 which at the time was a zero day privilege escalation vulnerability in Windows.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Nokoyawa Ransomware Group Threat Reports
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
References
securelist.com
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/www.sentinelone.com
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/www.trendmicro.com
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.htmlwww.kaspersky.com
https://www.kaspersky.com/about/press-releases/2023_zero-day-in-microsoft-windows-used-in-nokoyawa-ransomware-attacksthedfirreport.com
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/malpedia.caad.fkie.fraunhofer.de
https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawasecurelist.com
https://securelist.com/evolution-of-jsworm-ransomware/102428/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1070 | Indicator Removal | Defense Evasion |
| T1518.001 | Security Software Discovery | Discovery |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1069.002 | Domain Groups | Discovery |
| T1046 | Network Service Discovery | Discovery |
| T1083 | File and Directory Discovery | Discovery |
| T1059.001 | PowerShell | Execution |
| T1071.001 | Web Protocols | Command and Control |
| T1018 | Remote System Discovery | Discovery |
| T1204.002 | Malicious File | Execution |
| T1566 | Phishing | Initial Access |
| T1059.003 | Windows Command Shell | Execution |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1039 | Data from Network Shared Drive | Collection |
| T1482 | Domain Trust Discovery | Discovery |
| T1552.001 | Credentials In Files | Credential Access |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1036 | Masquerading | Defense Evasion |
| T1033 | System Owner/User Discovery | Discovery |
| T1219 | Remote Access Software | Command and Control |
| T1082 | System Information Discovery | Discovery |
| T1486 | Data Encrypted for Impact | Impact |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1057 | Process Discovery | Discovery |