Nokoyawa Ransomware Shares Similarities with the Hive Ransomware Gang

The Nokoyawa Ransomware is a newly identified file-locker that appears to share strong similarities with the Hive/HiveLocker Ransomware family. The latter's attack campaign has been a constant threat for companies around the world – over 300 new victims were infected in around four months. The Nokoyawa Ransomware first appeared in March 2022, and we are yet to see the full capabilities of its operators. However, is has already been confirmed that the malware uses a secure file-encryption mechanism, which cannot be deciphered via free tools

Although Hive Ransomware's reach was rather astounding, the Nokoyawa Ransomware appears to be focused on a particular region – South America. In fact, the majority of the ransomware's victims were entities in Argentina. Just like the Hive project, the Nokoyawa Ransomware criminals also heavily rely on the Cobalt Strike beacon to gain more control over devices they infected, and then spread laterally.

High-profile ransomware attacks often involve the use of multiple payloads alongside the primary threat. In Nokoyawa Ransomware's case, the criminals also use malware such as Z0Miner, Mimikatz, and Boxter.

Just like other high-quality malware, the Nokoyawa Ransomware also uses two types of extortion. It warns users that their files can only be recovered by paying a ransom fee to acquire a decryptor from the attackers. In addition to this, the crooks also claim to have stolen files prior to encrypting them, and threaten to leak them online unless the victim pays up. The best way to stay safe from the Nokoyawa Ransomware is to make sure that all software is up-to-date, and that you are using an up-to-date antivirus software suite at all times. In addition to this, maintaining up-to-date backup copies of your data is essential to staying safe from ransomware attacks.