news
NOKOYAWA: ANALYSIS OF THE RE-EMERGED RANSOMWARE GROUP

Nokoyawa ransomware group re-emerged on Dark Web with a new list of victims and some peculiar behavior.

Here’s what we’ve discovered so far.
It’s not a new ransomware group
Nokoyawa ransomware group is not new in the cybercrime scenario: in fact, it gained attention following a March 2022 report by Trend Micro, where the cybersecurity firm was originally linking their operation to the Hive ransomware family.
At the time Nokoyawa was showing similarities in Hive attack patterns and used tools.
There are connections with another group
This time the group is showing some interesting connection with Snatch, another cybercrime group.
Indeed, among the 26 victims named in Nokoyawa’s DLS, it seems that 6 were also targeted by Snatch and appear among their victims:
- Gaston College
- MSX International
- City of Modesto
- Canadian Nurses Association
- Chattanooga State Community College
- Liveaction
According to Cyble The Cyber Express this may not be a coincidence but the sign of a collaboration agreement.
In any case it is certainly a reminder of the way in which criminal organizations are increasingly collaborating with each other in order to maximize the results of their operations.
They were probably relying on a 0-day
Analysing the Nokoyawa malware strain, the ransomware is targeting 64-bit Windows-based systems in double extortion attacks.
According to Kaspersky the group may have used a (at the time) zero-day vulnerability of Microsoft Windows to deploy the ransomware .
The vulnerability, identified as CVE-2023-28252, was subsequently promptly fixed and patched by Microsoft.
The victims belong to several categories
Analysing Nokoyawa victims we discovered that they belong to 12 main categories:
- Education
- Organizations
- Professional / Scientific / Technical
- ICT
- Transportation / Storage
- Gov / Mil / LE
- Construction
- Healthcare
- Manufacturing
- Wholesale / Retail
- Energy / Utilities
- Financial / Insurance

Education (19% of total attacks), Organizations, Professional / Scientific / Technical and ICT (11% each) are the most targeted categories.
Most of the victims are in America
Over two-thirds of the victims (61%) are in America, while 23% of the victims are in Europe.

Other continents involved in Nokoyawa’s attacks are Oceania (8% of attacks), Africa and Asia (4% each).
The US is the country most targeted by the group (54% of total attacks).

Other affected countries are:
- UK
- Australia
- France
- Philippines
- Romania
- Morocco
- Canada
- Brazil
- Germany
They’re speeding up
We detected 26 victims of Nokoyawa in 2023, 5.2 per month on average.

The attacks, which started quietly in the first months of the year, grow decisively in May where we already have 11 attacks in the group’s assets.

Ultimately Nokoyawa appears to be a particularly dangerous ransomware group.
On the one hand, the group has clearly demonstrated that it can count on several criminal associations that appear to have been beneficial.
On the other hand, Nokoyawa’s double extortion operations seem to be accelerating.
In this case, our recommendation is to update and keep secure the information systems, especially those based on Windows.
Stay Cyber Safe!
Latest news
HACKS OF TODAY 02/07/2023
Today's HOT includes 19 ransomware victims by the notorious LockBit 3.0, Play, Darkrace, BlackCat/ALPHV, BianLian, Akira and Trigona gangs. The average Cyber Risk Factor is 3.7. Read...
Read MoreHACKS OF TODAY 01/06/2023
Today's HOT includes 7 ransomware victims by the notorious LockBit 3.0, Akira, BlackBasta, RansomHouse and Darkrace gangs. The average Cyber Risk Factor is 3.4. Read below the...
Read MoreHACKS OF TODAY 31/05/2023
Today's HOT includes 7 victims: 5 ransomware by the notorious LockBit 3.0 and BlackBasta gangs and 2 data leaks. The average Cyber Risk Factor is 4.0. Read...
Read More