In recent months, new ransomware has been discovered called Nokoyawa, which has become a considerable threat for businesses worldwide. Nokoyawa targets Windows operating systems and propagates through the network via remote execution protocols, which enables the ransomware to impact a large number of systems with minimal exposure.
Nokoyawa encrypts files on infected systems and appends filenames with “.nokoyawa” extension. It then creates a ransom note named “HOW_TO_RECOVER_YOUR_FILES.html” in all encrypted directories, with instructions on how to pay the ransom amount to get the decryption key. The ransom note also serves as proof of the successful encryption of files.
Nokoyawa has multiple communication channels with the command and control infrastructure. The malware sends information about the infected system to the remote server, receives instructions from the server, and sends back the necessary logs and user credentials back to the server. In this way, the ransomware makes it almost impossible to track down the attacker’s location.
To identify the presence of Nokoyawa ransomware, we have observed some indicators of compromise (IOCs) in the infected systems. The IOCs are as follows:
- Network traffic to IP 220.127.116.11 on port 443
- Network traffic to IP 18.104.22.168 on port 80
- IOCs in PowerShell command-lines such as Base64-encoded strings, file paths, processes, and registry keys
Organizations can mitigate the risks of Nokoyawa by implementing proper security measures such as data backup and recovery systems, file and folder permission policies, email filters, and antivirus programs. Additionally, keeping systems and software up to date by applying security patches can also help to prevent the spread of Nokoyawa ransomware.
In conclusion, Nokoyawa ransomware is a significant threat to businesses and organizations. Recognizing the IOCs and applying preventive measures can help organizations safeguard against this malicious software. Maintaining updated security standards and being vigilant about suspicious network activity are essential components of a proactive security strategy.