{
	"id": "bc5fe114-ec01-4e94-bb33-a2cdd7ef98cb",
	"created_at": "2026-04-06T00:12:36.603542Z",
	"updated_at": "2026-04-10T03:24:29.083436Z",
	"deleted_at": null,
	"sha1_hash": "a2e74c4c155e25494af70f73eeaade265f776b94",
	"title": "Nevada Ransomware, Nokoyawa Variant | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373109,
	"plain_text": "Nevada Ransomware, Nokoyawa Variant | ThreatLabz\r\nBy Brett Stone-Gross\r\nPublished: 2023-03-06 · Archived: 2026-04-05 17:16:13 UTC\r\nTechnical Analysis\r\nThreatLabz has identified at least four distinct versions of Nokoyawa ransomware. For clarity, we will use the\r\nversion numbers 1.0, 1.1, 2.0 and 2.1 (Nevada) based on code similarities. Table 1 illustrates the similarities and\r\ndifferences between all four versions of Nokoyawa ransomware including Nevada.\r\nAttribute Nokoyawa 1.0 Nokoyawa 1.1 Nokoyawa 2.0\r\nNokoyawa 2.1\r\n(Nevada)\r\nEncryption\r\nalgorithms\r\nSECT233R1 +\r\nSalsa20\r\nSECT233R1 +\r\nSalsa20\r\nX25519 + Salsa20\r\nX25519 +\r\nSalsa20\r\nEncryption library Tiny-ECDH Tiny-ECDH x25519_dalek x25519_dalek\r\nProgramming\r\nlanguage\r\nC/C++ C/C++ Rust Rust\r\nEncryption\r\nParameters\r\nHardcoded\r\nPassed via\r\ncommand-line\r\nPassed via\r\ncommand-line\r\nHardcoded\r\nImport Hashing No Yes No No\r\nCIS Exclusion No No Yes Yes\r\nArchitecture x64 x64 x64 x64\r\nhttps://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nPage 1 of 5\n\nEarliest known\r\ncompilation date\r\nFebruary 2022 January 2023 September 2022 January 2023\r\nTable 1. Comparison between different versions of Nokoyawa ransomware\r\nThere are a few commonalities between all Nokoyawa variants such as being compiled only for 64-bit versions of\r\nWindows and using a relatively obscure method to delete Windows Shadow Copies. The latter entails calling the\r\nfunction DeviceIoControl (shown in Figure 1) with the undocumented control code parameter\r\nIOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE (0x53C028) with a maximum size of 1, which causes\r\nWindows to delete all shadow copies as a result.\r\nFigure 1. Nokoyawa/Nevada code to delete Windows Shadow Copies\r\nAll versions of Nokoyawa support the command-line parameters --file (to encrypt a single file) and --dir (to\r\nencrypt a directory). However, Nokoyawa 1.1 and 2.0 require a configuration to execute the ransomware via the --\r\nconfig command-line parameter. The configuration parameter is a Base64 encoded JSON object that has the\r\nfollowing keys and values shown in Table 2.\r\nKey Description\r\nNOTE_NAME Ransom note filename\r\nNOTE_CONTENT Ransom note content\r\nhttps://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nPage 2 of 5\n\nEXTENSION Encrypted file extension (also used as the Salsa20 nonce)\r\nECC_PUBLIC Curve25519 public key\r\nSKIP_EXTS File extensions that will not be encrypted\r\nSKIP_DIRS Directories that will not be encrypted\r\nENCRYPT_NETWORK Encrypt network shares\r\nDELETE_SHADOW Delete Windows shadow copies\r\nLOAD_HIDDEN_DRIVES Unhide hidden drives and encrypt files\r\nTable 2. Nokoyawa 1.1 and Nokoyawa 2.0 ransomware configuration parameters\r\nNokoyawa 1.1 also has a --safe-mode command-line option to reboot the system into Windows safe mode prior to\r\nfile encryption to maximize the number of files that can be encrypted by loading the minimal set of applications,\r\nand therefore, minimize the number of open file handles that may interfere with encryption. In addition,\r\nNokoyawa 1.1 is the only variant that obfuscates the Windows API functions that are called during runtime by\r\nresolving each name via CRC32 hash.\r\nIn Nevada ransomware, the encryption parameters are hardcoded in the binary, but the other command-line\r\noptions are virtually identical to Nokoyawa 1.1 and 2.0 (with the exception of a new feature to self-delete the\r\nransomware binary after file encryption is complete). Nevada also supports a -help command-line argument,\r\nwhich prints the usage shown below in Figure 2.\r\nFigure 2. Nevada ransomware command-line help\r\nIn order to reduce the risk of law enforcement actions, Both Nokoyawa 2.0 and Nevada check whether the\r\ninfected system is located in a former Commonwealth of Independent States (CIS) country. The former calls the\r\nhttps://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nPage 3 of 5\n\nWindows API GetSystemDefaultLCID for language IDs (between 1049-1092 or 2073) and the latter\r\ncalls GetUserDefaultUILanguage (between 1049-1090) to determine the system's locale and language,\r\nrespectively. Some of these language IDs include countries outside of the CIS countries, which may be to simplify\r\nthe code by adding a range of values rather than individually checking each value.\r\nNokoyawa 1.0 and Nokoyawa 1.1 share about 39% of the same code, while Nokoyawa 2.0 and Nevada share\r\nmore than 87% of the same code according to BinDiff.\r\nDebug Print Statements\r\nAnother similarity between Nokoyawa 2.0 and Nevada are debug print statements, which are very similar or\r\nidentical. Figure 3 shows an example for a function that creates a thread and prints a debug statement to the\r\nconsole.\r\nFigure 3. Comparison of CreateThread function and debug print statements in Nokoyawa 2.0 (left) and Nevada\r\n(right)\r\nMany strings have also been slightly altered between Nokoyawa 2.0 and Nevada as shown in Table 3.\r\nNokoyawa 2.0\r\nNokoyawa 2.1\r\n(Nevada)\r\nCIS lang detected! Stop working... CIS. STOP!\r\nSuccessfully deleted shadow copies from Shadow copies deleted from\r\nCouldn't create ransom note Failed to create ransom note\r\nhttps://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nPage 4 of 5\n\nCouldn't seek file: Failed to seek file:\r\nCouldn't read file: Failed to read file:\r\nCouldn't write to file: Failed to write file:\r\nCouldn't rename file Failed to rename file\r\nTable 3. Comparison between debug print strings in Nokoyawa 2.0 (left) and Nevada (right)\r\nEncryption Algorithms\r\nNokoyawa 1.0 and 1.1 use the elliptic curve SECT233R1 (NIST B-233) via the Tiny-ECDH library to generate a\r\nper file Salsa20 key. Nokoyawa 2.0 and Nevada use Curve25519 via the open source x25519_dalek Rust library to\r\nderive a Salsa20 encryption key per file. In Nokoyawa 1.1 and 2.0, the file extension (as described in Table 2) is\r\nused as the nonce. The original version of Nokoyawa and Nevada ransomware use the hardcoded nonce\r\nvalues lvcelvce and pmarpmar, respectively.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nhttps://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant"
	],
	"report_names": [
		"nevada-ransomware-yet-another-nokoyawa-variant"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2e74c4c155e25494af70f73eeaade265f776b94.pdf",
		"text": "https://archive.orkl.eu/a2e74c4c155e25494af70f73eeaade265f776b94.txt",
		"img": "https://archive.orkl.eu/a2e74c4c155e25494af70f73eeaade265f776b94.jpg"
	}
}