Last month, Trend Micro suggested that Nokowaya ransomware bore some connection with Hive. The researchers had shared their outcome based on the similarities of tactics and techniques used by both ransomware. However, the research has taken a new turn as a group of other researchers shared new insight on the Nokowaya ransomware.


  • The previous research had highlighted similarities in the attack chain between Nokoyawa and Hive ransomware. 
  • Some of the indicators shared by both the ransomware included the use of Cobalt Strike, as well as other legitimate tools such as anti-rootkit scanners for defense evasion. 
  • Overlaps in other tactics such as information gathering and lateral deployment were, furthermore, observed. 

New findings differ from the previous

  • Researchers from SentinelLabs claimed that Nokoyawa is clearly a variant of Nemty (Karma) ransomware. 
  • Both Nokoyawa and Karma manage multi-threaded encryption by creating an I/O completion port to establish communications between the thread responsible for the enumeration of files. 
  • In both cases, public keys for the encryption and ransom notes are encoded with Base64. 
  • However, there are no significant similarities between the ransom notes, except the use of email for contact points. 


Ransomware is one of the most destructive malware types in the world due to its ability to compromise and leak critical data. As ransomware families continue to evolve and expand their capabilities, organizations should ensure that their information is as safe as possible. 

Cyware Publisher