Recycled Ransomware are Faster

Diving into details

• The Nokoyawa ransomware first came to light in February this year.
• Its code shares similarities with the Karma ransomware that could be traced to Nemty.
• The April samples of the ransomware displayed three new features increasing the number of files that can be encrypted.
• These functionalities were already present in recent ransomware families, which indicates that Nokoyawa was just catching up to their pace.
• Most of the extra code was copied exactly from publicly available sources, including the leaked source code of Babuk.

Nokoyawa and other ransomware

• In a March report, Trend Micro suggested that Nokoyawa and Hive ransomware are connected.
• The researchers reached this conclusion since they both use Cobalt Strike and other tools, such as anti-rootkit scanners.
• Moreover, overlaps in information gathering and lateral deployment was observed.
• In addition to the above, the ransomware families share the same infrastructure.
• However, an April report by SentinelLabs found that Nokoyawa is a descendant of Nemty and has no connection with Hive.
• Both Nemty (Karma) and Nokoyawa manage multi-threaded encryption.
• The public keys for the ransom note and encryption are encoded with Base64.

Stronger and faster

• The code recycling tactic followed by Nokoyawa signifies that threat actors can move faster now with minimal effort.
• Not only Nokoyawa, but several other ransomware strains have also adopted the same method.
• BlackCat or ALPHV is a rebranding of BlackMatter, which, in turn, is a rebranding of DarkSide.
• AstraLocker is another ransomware that has been built on the source code of Babuk. Even their campaign markers have been found to be similar.

The bottom line