Nokoyawa Ransomware Group
| Actor Type | Criminal Group |
|---|
This intrusion set is responsible for the development of the Nokoyawa strain of ransomware. The ransomware has been observed in use against victims since at least February 2022.
Researchers at SentinelOne suggest that the intrusion set is also linked to Nemty ransomware and another strain known as Karma. Kaspersky notes that the ransomware lineage can be traced back further to JSWorm ransomware which was discovered in April 2019.
In February 2023 Kaspersky analysts identified Nokoyawa being deployed by threat actors who exploited CVE-2023-28252 which at the time was a zero day privilege escalation vulnerability in Windows.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Nokoyawa Ransomware Group Threat Reports
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
References
securelist.com
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/www.sentinelone.com
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/www.trendmicro.com
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.htmlwww.kaspersky.com
https://www.kaspersky.com/about/press-releases/2023_zero-day-in-microsoft-windows-used-in-nokoyawa-ransomware-attackssecurelist.com
https://securelist.com/evolution-of-jsworm-ransomware/102428/thedfirreport.com
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/malpedia.caad.fkie.fraunhofer.de
https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawaMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.