{"id":45635,"date":"2022-03-09T00:00:00","date_gmt":"2022-03-09T00:00:00","guid":{"rendered":"urn:uuid:5f78002a-1a87-3cb6-8b79-29e7ac18eeaa"},"modified":"2022-03-09T00:00:00","modified_gmt":"2022-03-09T00:00:00","slug":"new-nokoyawa-ransomware-possibly-related-to-hive","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-nokoyawa-ransomware-possibly-related-to-hive\/","title":{"rendered":"New Nokoyawa Ransomware Possibly Related to Hive"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Hive, which is one of the more notable ransomware families<\/a> of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months<\/a> \u2014 allowing the group to earn what could potentially be millions of US dollars in profit. In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps. Currently, the majority of Nokoyawa\u2019s targets are located in South America, primarily in Argentina.<\/p>\n

Some of the indicators we\u2019ve observed being shared by both Nokoyawa and Hive include the use of Cobalt Strike<\/a> as part of the arrival phase of the attack, as well as the use of legitimate, but commonly abused, tools such as the anti-rootkit scanners GMER and PC Hunter for defense evasion. Other steps, such as information gathering and lateral deployment, are also similar.<\/p>\n

The operators of the Hive ransomware are known to use other tools \u2014 such as NirSoft and MalXMR miner \u2014 to enhance their attack capabilities depending on the victim environment. Based on our analysis, Nokoyawa also does the same thing based on its victims. We\u2019ve observed the ransomware leverage other tools such as. Mimikatz, Z0Miner, and Boxter<\/p>\n

We also found evidence based on one of the IP addresses used by Nokoyawa that the two ransomware families share the same infrastructure.<\/p>\n

Although we are not certain how Nokoyawa is delivered to its victims, given the similarities with Hive, it\u2019s likely that it uses similar methods such as phishing emails<\/a> for arrival.<\/p>\n\n\n\n\n\n\n\n\n\n\n
\n

Indicator<\/b><\/p>\n<\/td>\n

\n

Hive<\/b><\/p>\n<\/td>\n

\n

Nokoyawa<\/b><\/p>\n<\/td>\n<\/tr>\n

\n

Cobalt Strike (arrival)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Coroxy malware (deployment of PowerShell commands and scripts)<\/p>\n<\/td>\n

\n

Other researchers have flagged this malware as being related to Hive<\/a>, though we have not confirmed this ourselves<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

GMER (defense evasion)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

PC Hunter (info gathering and defense evasion)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

PowerShell Scripts (info gathering)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

PsExec (lateral deployment of Ransomware)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Filename for Ransom Payload (xxx.exe)<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. Similarities in the attack chain of Hive and Nokoyawa<\/h5>\n

Taking each individual step into account, the similarities might not seem as apparent \u2014 for example, Cobalt Strike is a very popular post exploitation tool that has been used by other ransomware gangs \u2014 but when taking the whole picture into account, it\u2019s clear to see that the two ransomware families are connected. What the information gathered implies is that it\u2019s likely that the Hive ransomware\u2019s operators have begun using another ransomware family.<\/p>\n

Note that we have not found any evidence that Nokoyawa has been using the double extortion technique \u2014 where the ransomware operator threatens to release critical information on a leak site in addition to encoding files \u2014 unlike Hive, which has been found to be integrating it in its attacks.<\/p>\n

Ransomware is one of the most destructive malware types in the wild today due to its ability to compromise and leak critical data. Therefore, organizations should ensure that their information is as safe as possible from ransomware attacks. These security recommendations can help maximize their security implementation with relatively little costs:<\/p>\n