{
	"id": "abfdfad5-7eac-44d3-9c9d-74293b8c6a12",
	"created_at": "2026-04-06T00:07:17.305605Z",
	"updated_at": "2026-04-10T03:31:40.44247Z",
	"deleted_at": null,
	"sha1_hash": "028ced761122d820e110057aed43bc0e30535762",
	"title": "Nokoyawa Ransomware: Rust or Bust | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 840219,
	"plain_text": "Nokoyawa Ransomware: Rust or Bust | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2022-12-20 · Archived: 2026-04-05 20:57:47 UTC\r\nKey Points\r\nNokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022\r\nThe threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive\r\ninformation from organizations, followed by file encryption and a ransom payment demand\r\nNokoyawa was initially written in the C programming language using Elliptic Curve Cryptography (ECC)\r\nwith SECT233R1 and Salsa20 for file encryption\r\nIn September 2022, Nokoyawa was rewritten in the Rust programming language using ECC with the\r\nCurve25519 and Salsa20 for file encryption \r\nThe Rust-based Nokoyama ransomware 2.0 provides threat actors with runtime flexibility via a\r\nconfiguration parameter that is passed via the command-line\r\nNokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as\r\nKarma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version\r\nof Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric\r\nElliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open\r\nsource library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for\r\nsymmetric encryption, but the elliptic curve was replaced with Curve25519.\r\nNokoyawa 2.0 was developed using the Rust programming language and appears to have been created in late\r\nSeptember 2022. Nokoyawa is not the first ransomware family to be rewritten in Rust. Previously, the developers\r\nof the ransomware families Hive and Agenda/Qilin ported their code from the Go (a.k.a. Golang) programming\r\nlanguage to Rust. In addition, the author of RansomExx converted the ransomware code from C++ to Rust.\r\nAnother ransomware family compiled in Rust is BlackCat/ALPHV. The increase in the popularity of the Rust\r\nprogramming language may be due to its emphasis on performance and concurrency, which can make a\r\nransomware’s file encryption more efficient. Similar to the previous version of Nokoyawa, the Rust variant is\r\ncompiled only for 64-bit versions of Windows.\r\nThis blog provides a technical analysis of Nokoyawa 2.0 including its new configuration, encryption algorithms,\r\nand data leak site.\r\nTechnical Analysis\r\nNokoyawa 2.0 cannot be executed without providing the required command-line arguments. When run without\r\narguments, Nokoyawa will print the following help message shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 1 of 7\n\nFigure 1. Nokoyawa 2.0 ransomware command-line help\r\nThe command-line arguments --file (to encrypt a single file) and --dir (to encrypt a directory) are identical to the\r\nprevious version of Nokoyawa. However, Nokoyawa 2.0 requires a configuration file to execute the ransomware\r\nvia the --config command-line argument. The configuration parameter is a Base64 encoded JSON object that has\r\nthe following keys and values shown in Table 1.\r\nKey Value Format Description\r\nNOTE_NAME (will be appended with .txt) Ransom note filename\r\nNOTE_CONTENT Base64 encoded text Ransom note content\r\nEXTENSION (without a period)\r\nEncrypted file extension (also used as the Salsa20\r\nnonce)\r\nECC_PUBLIC\r\nBase64 encoded binary\r\ndata\r\nCurve25519 public key\r\nSKIP_EXTS JSON array File extensions that will not be encrypted\r\nSKIP_DIRS JSON array Directories that will not be encrypted\r\nTable 1. Nokoyawa 2.0 configuration parameters\r\nThe decision by the Nokoyawa malware author to pass a full configuration file via the command-line is a unique\r\ndesign choice. This is indicative that the malware author has developed the ransomware to be flexible for mulitiple\r\nthreat actors who are likely paid as affiliates to compromise organizations and deploy the ransomware in return for\r\na percentage of the profit.\r\nEncryption Algorithms\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 2 of 7\n\nNokoyawa 2.0 uses Curve25519 (via the open source x25519_dalek Rust library) for asymmetric encryption and\r\nSalsa20 for symmetric encryption. Nokoyawa first generates an ephemeral Curve25519 key pair. The ephemeral\r\nprivate key is used to generate a shared secret using a Diffie-Hellman key exchange with the Curve25519 public\r\nkey that was passed via the config command-line parameter. The result is used as a Salsa20 key and the file\r\nextension is used as the nonce, which must be 8 bytes (as described in Table 1). Figure 2 shows an example file\r\nencrypted by Nokoyawa 2.0.\r\nFigure 2. Nokayawa 2.0 encrypted file content and footer\r\nAs shown in Figure 2, the 32-byte ephemeral public key (blue) and the 8-byte nonce (red) are appended as a 40-\r\nbyte footer at the end of the encrypted file. Similar to most ransomware families, Nokoyawa encrypts the file in\r\nchunks based on the file's size. If the file's size is less than or equal to 0x80000 (524,288) bytes, the full file will\r\nbe encrypted. Otherwise the code implements an algorithm that determines the number of blocks and the block\r\noffsets to encrypt in the file. Each block will be encrypted in chunks of 0x80000 bytes (yellow) followed by\r\nblocks of unencrypted bytes (green) as highlighted in Figure 2. Since Nokoyawa only partially encrypts files\r\nlarger than 0x80000 bytes, encryption is very fast.\r\nThreatLabz has developed a proof-of-concept tool to decrypt files encrypted by Nokoyawa 2.0 if the Curve25519\r\nprivate key is accessible. This decryption tool is available in our GitHub tools repository here.\r\nRansom Note\r\nAs previously mentioned in Table 1, the Nokyawa ransomware note filename and content is passed via the\r\nconfiguration command-line parameter. An example Nokoyawa ransom note is shown in Figure 3.\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 3 of 7\n\nFigure 3. Nokoyawa ransom note\r\nRansom portal\r\nNokoyawa ransom notes contain a link to a TOR hidden service as shown in Figure 4.\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 4 of 7\n\nFigure 4. Nokoyawa ransom chat portal\r\nThe same TOR hidden service also hosts a data leak site. Currently, only one victim is listed on the site as shown\r\nin Figure 5. This may suggest that Nokoyawa is not currently compromising a large number of organizations, or\r\nthe threat actors may only perform double extortion for a subset of victims.\r\nFigure 5. Nokoyawa leak site\r\nConclusion\r\nThe Nokoyawa threat actor continues to update the ransomware and launch new attacks. The development of\r\nNokoyawa 2.0 using the Rust programming language is likely designed to improve file encryption speed and to\r\nbetter evade antivirus and EDR products. The group has long claimed to perform double extortion attacks without\r\noffering much proof, until now.\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 5 of 7\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to\r\nNokoyawa at various levels with the following threat names:\r\nWin64.Ransom.NOKOYAWA\r\nIndicators of Compromise\r\nSHA256 Description\r\n7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6\r\nNokoyawa ransomware Rust\r\nsample\r\n47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12\r\nNokoyawa ransomware Rust\r\nsample\r\n259f9ec10642442667a40bf78f03af2fc6d653443cce7062636eb750331657c4\r\nNokoyawa ransomware Rust\r\nsample\r\nExplore more Zscaler blogs\r\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 6 of 7\n\nSource: https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nhttps://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust"
	],
	"report_names": [
		"nokoyawa-ransomware-rust-or-bust"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434037,
	"ts_updated_at": 1775791900,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/028ced761122d820e110057aed43bc0e30535762.pdf",
		"text": "https://archive.orkl.eu/028ced761122d820e110057aed43bc0e30535762.txt",
		"img": "https://archive.orkl.eu/028ced761122d820e110057aed43bc0e30535762.jpg"
	}
}