Severity
High
Analysis Summary
Nokoyawa is a new malware for Windows that first appeared this year. Researchers’ samples revealed coding similarities with Karma, another ransomware that traces its lineage to Nemty via a long string of variants. Researchers have discovered a new strain of the Nemty ransomware campaign that has been improving by reusing code from publicly available sources. Nokoyawa offers many command line options for customized executions:
- –help (Print the list of command line options)
- -network (Encrypt files on all drives and volumes for both local and networked)
- -file filePath (Encrypt a single file)
- -dir dirPath (Encrypt all files in specified directory and sub-directories)
Nokoyawa encrypts all local drives and volumes by default if no argument is provided. The “-help” parameter implies that the developers are not the same as the operators who distribute and execute the ransomware. A .NOKOYAWA extension is attached to files encrypted by ransomware. The ransom message is written into NOKOYAWA_readme.txt in each encrypted directory
Impact
- File Encryption
- Password Theft
Indicators of Compromise
MD5
- c159afb7d2111690326cad610776db34
- feb7b1e0161df136c3d385bfd2d4b247
SHA-256
- a32b7e40fc353fd2f13307d8bfe1c7c634c8c897b80e72a9872baa9a1da08c46
- 304e01db6da020fc1e0e02fdaccd60467a9e01579f246a8846dcfc33c1a959f8
SHA-1
- 228239d1bf7020ecdc4021f3c20a14041b210d78
- 93027bd81e608b3bd88a608fe3f6826c96656864
Remediation
Block all threat indicators at your respective controls.
Search for IOCs in your environment.