Background
Trend Micro recently reported on Nokoyawa, a ransomware family they discovered earlier this month. They stated Nokoyawa seems to have a connection with Hive ransomware, based on similarities in the attack chains of the two malware families.
What is Nokoyawa Ransomware?
Earlier this month, Trend Micro discovered Nokoyawa, which they say has an attack chain resembling that of Hive. Trend Micro described Hive ransomware as one of the most notable of 2021, breaching over 300 organizations in a three-month span. At present, most Nokoyawa victims have primarily been in Argentina and other parts of South America. So far, researchers have not determined the initial infection vector used to deliver Nokoyawa.
Similarities between Nokoyawa and Hive include the use of Cobalt Strike, the use of legitimate tools like GMER and PC Hunter to evade detection, and the TTPs used for information gathering and lateral movement. Additionally, Hive and Nokoyawa share the same infrastructure. However, the malware families differ in several ways. First, Hive is usually packed using UPX, while Nokoyawa does not use a packer. Second, Hive was compiled using GoLang, while Nokoyawa uses a different language. Third, Nokoyawa does not use a double extortion tactic like Hive. Finally, a different encryption routine is used in each of the malware families. Hive uses the RTLGenRandom API to generate an encryption key, which is in turn encrypted using RSA. Nokoyawa uses the BCryptGenRandom API to generate a key. A value is created for each file, then it uses a hardcoded nonce for the encryption, “lvcelcve” and Salsa to encrypt the files. Finally, it uses an ECDH key pair to encrypt the key. Based on the similarities, Trend Micro notes it is possible Hive ransomware group is responsible for Nokoyawa.
IOCs
PolySwarm has multiple samples of Nokoyawa Ransomware.
2ef9a4f7d054b570ea6d6ae704602b57e27dee15f47c53decb16f1ed0d949187
a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7
a70729b3241154d81f2fff506e5434be0a0c381354a84317958327970a125507
c170717a69847bb7b050832c55fcd2a214e9180c8cde5f86088bd4e5266e2fd9
e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
You can use the following CLI command to search for all Nokoyawa Ransomware samples in our portal: $ polyswarm link list -f Nokoyawa
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports