The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Nokoyawa Ransomware

Mar 24, 2022 2:13:03 PM / by PolySwarm Tech Team



Trend Micro recently reported on Nokoyawa, a ransomware family they discovered earlier this month. They stated Nokoyawa seems to have a connection with Hive ransomware, based on similarities in the attack chains of the two malware families.

What is Nokoyawa Ransomware?

Earlier this month, Trend Micro discovered Nokoyawa, which they say has an attack chain resembling that of Hive. Trend Micro described Hive ransomware as one of the most notable of 2021, breaching over 300 organizations in a three-month span. At present, most Nokoyawa victims have primarily been in Argentina and other parts of South America. So far, researchers have not determined the initial infection vector used to deliver Nokoyawa.

Similarities between Nokoyawa and Hive include the use of Cobalt Strike, the use of legitimate tools like GMER and PC Hunter to evade detection, and the TTPs used for information gathering and lateral movement. Additionally, Hive and Nokoyawa share the same infrastructure. However, the malware families differ in several ways. First, Hive is usually packed using UPX, while Nokoyawa does not use a packer. Second, Hive was compiled using GoLang, while Nokoyawa uses a different language. Third, Nokoyawa does not use a double extortion tactic like Hive. Finally, a different encryption routine is used in each of the malware families. Hive uses the RTLGenRandom API to generate an encryption key, which is in turn encrypted using RSA. Nokoyawa uses the BCryptGenRandom API to generate a key. A value is created for each file, then it uses a hardcoded nonce for the encryption, “lvcelcve” and Salsa to encrypt the files. Finally, it uses an ECDH key pair to encrypt the key. Based on the similarities, Trend Micro notes it is possible Hive ransomware group is responsible for Nokoyawa.


PolySwarm has multiple samples of Nokoyawa Ransomware.






You can use the following CLI command to search for all Nokoyawa Ransomware samples in our portal: $ polyswarm link list -f Nokoyawa

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, Hive, Nokoyawa

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts