{ "id": "bd836cc0-f24f-4978-a5f5-cf897bd8c677", "created_at": "2026-04-06T00:22:24.066202Z", "updated_at": "2026-04-10T03:24:24.610333Z", "deleted_at": null, "sha1_hash": "cd0c3792ff89b25020bdd4eadd1e85168b71f961", "title": "New Nokoyawa Ransomware Possibly Related to Hive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 895045, "plain_text": "New Nokoyawa Ransomware Possibly Related to Hive\r\nPublished: 2022-03-09 · Archived: 2026-04-05 17:25:50 UTC\r\nHive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after\r\nbreaching over 300 organizations in just four monthsnews article — allowing the group to earn what could potentially be\r\nmillions of US dollars in profit. In March 2022, we came across evidence that another, relatively unknown, ransomware\r\nknown as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain,\r\nfrom the tools used to the order in which they execute various steps. Currently, the majority of Nokoyawa’s targets are\r\nlocated in South America, primarily in Argentina.\r\nAttack chain similarities and differences\r\nSome of the indicators we’ve observed being shared by both Nokoyawa and Hive include the use of Cobalt Strike as part of\r\nthe arrival phase of the attack, as well as the use of legitimate, but commonly abusednews- cybercrime-and-digital-threats,\r\ntools such as the anti-rootkit scanners GMER and PC Hunter for defense evasion. Other steps, such as information gathering\r\nand lateral deployment, are also similar.\r\nThe operators of the Hive ransomware are known to use other tools — such as NirSoft and MalXMR miner — to enhance\r\ntheir attack capabilities depending on the victim environment. Based on our analysis, Nokoyawa also does the same thing\r\nbased on its victims. We’ve observed the ransomware leverage other tools such as. Mimikatz, Z0Miner, and Boxter\r\nWe also found evidence based on one of the IP addresses used by Nokoyawa that the two ransomware families share the\r\nsame infrastructure.\r\nAlthough we are not certain how Nokoyawa is delivered to its victims, given the similarities with Hive, it’s likely that it uses\r\nsimilar methods such as phishing emails for arrival.\r\nIndicator Hive Nokoyawa\r\nCobalt Strike (arrival) Yes Yes\r\nCoroxy malware (deployment of\r\nPowerShell commands and scripts)\r\nOther researchers have flagged this malware as being related\r\nto Hive, though we have not confirmed this ourselves\r\nYes\r\nGMER (defense evasion) Yes Yes\r\nPC Hunter (info gathering and defense\r\nevasion)\r\nYes Yes\r\nPowerShell Scripts (info gathering) Yes Yes\r\nPsExec (lateral deployment of\r\nRansomware)\r\nYes Yes\r\nFilename for Ransom Payload\r\n(xxx.exe)\r\nYes Yes\r\nTable 1. Similarities in the attack chain of Hive and Nokoyawa\r\nTaking each individual step into account, the similarities might not seem as apparent — for example, Cobalt Strike is a very\r\npopular post exploitation tool that has been used by other ransomware gangs — but when taking the whole picture into\r\nhttps://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nPage 1 of 5\n\naccount, it’s clear to see that the two ransomware families are connected.\r\nDespite their similarities, the two ransomware families still have a few differences. For example, the majority of the Hive\r\nransomware variants that we have observed were packed using UPX, while the Nokoyawa sample we analyzed did not use\r\nany packer for the binary sample, leaving strings from the file bare and easy to analyze.\r\nFigure 1. A Hive variant packed using UPX compared to the Nokoyawa sample we analyzed\r\nAnother difference is in the compiler — Hive’s binary was compiled using GoLang script, while Nokoyawa uses another\r\nlanguage to compile its binary, again making it easier to disassemble and analyze.\r\nhttps://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nPage 2 of 5\n\nFigure 2. Comparing the compilers of Hive (top) and Nokoyawa (bottom)\r\nThe third difference is in the encryption routine. Hive generates a random key to be used for the encryption process based on\r\nRTLGenRandom API, which will be initially saved in memory. This key is then used through what seems to be a custom\r\nencryption implementation to encrypt the files. The key is then also encrypted using RSA via GoLang’s implementation of\r\nRSA encryption, which it accomplishes using a list of public keys embedded in the binary and the saved as \u003crandom\u003e.key.\r\n\u003cextension\u003e on the encrypted drive. Finally, the generated key will be wiped from memory so that the encrypted key will be\r\nthe only copy of the key used for decryption.\r\nIn contrast, Nokoyawa  ransomware generates a random key to be used for the encryption process using the\r\nBCryptGenRandom API. Each value is created for each file. It uses a hardcoded nonce for the encryption, “lvcelcve” and\r\nSalsa to encrypt the files, which is generated for every file. Then, it will encrypt the key using ECDH key pair.\r\nWhat the information gathered implies is that the Hive ransomware’s operators have likely begun using another ransomware\r\nfamily — perhaps as a new Ransomware-as-a-Servicenews- cybercrime-and-digital-threats (RaaS) operation. It’s also\r\npossible that they are using the same infection chain as before, but with a different ransomware payload.\r\nhttps://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nPage 3 of 5\n\nNote that we have not found any evidence that Nokoyawa has been using the double extortion technique — where the\r\nransomware operator threatens to release critical information on a leak site in addition to encoding files — unlike Hive,\r\nwhich has been found to be integrating it in its attacks.\r\nDefending against ransomware attacks\r\nRansomware is one of the most destructive malware types in the wild today due to its ability to compromise and leak critical\r\ndata. Therefore, organizations should ensure that their information is as safe as possible from ransomware attacks. These\r\nsecurity recommendations can help maximize their security implementation with relatively little costs:\r\nEnabling multifactor authentication can prevent malicious actors from compromising user accounts as part of their\r\ninfiltration process.\r\nUsers should be wary of opening unverified emails. Embedded links should never be clicked and attached files\r\nshould never be opened without the proper precautions and verification as these can kickstart the ransomware\r\ninstallation process.\r\nOrganizations should always adhere to the 3-2-1 rulenews article: Create three backup copies on two different file\r\nformats, with one of the backups in a separate location.\r\nPatching and updating software and other systems at the soonest possible time can minimize the chance of a\r\nsuccessful vulnerability exploitation that can lead down the road to a ransomware infection.\r\nOrganizations can better protect themselves from ransomware attacks if they implement multilayered security setups\r\nthat combine elements such as the automated detection of files and other indicators with constant monitoring for the\r\npresence of weaponized legitimate tools in their IT environment.\r\nCorrelating two different attacks, such as the one we’ve done in this blog entry with Hive and Nokoyawa, are made much\r\neasier with multilayered detection and response solutions such as Trend Micro Vision One™products, which is a purpose-built threat defense platform that provides added value and new benefits beyond extended detection and response (XDR)\r\nsolutions. This technology provides powerful XDR capabilities that collect and automatically correlate data across multiple\r\nsecurity layers — email, endpoints, servers, cloud workloads, and networks — to prevent attacks via automated protection\r\nwhile also ensuring that no significant incidents go unnoticed.\r\nIndicators of Compromise\r\nhxxp://185.150.117[.]186:80/asdfgsdhsdfgsdfg (Cobalt Strike download)\r\nMalware SHA256 Detection\r\nExploit\r\nAgent\r\na70729b3241154d81f2fff506e5434be0a0c381354a84317958327970a125507 Trojan.Win64.NEKTO.YACCAT\r\nCoroxy\r\nDropper\r\n2ef9a4f7d054b570ea6d6ae704602b57e27dee15f47c53decb16f1ed0d949187 Trojan.Win32.COROXY.SMYXBC\r\nCoroxy c170717a69847bb7b050832c55fcd2a214e9180c8cde5f86088bd4e5266e2fd9 Backdoor.Win64.COROXY.YACCA\r\nDataSpy a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7 TrojanSpy.PS1.DATASPY.B\r\nhttps://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nPage 4 of 5\n\nNokoyawa e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4 Ransom.Win64.NOKO.YACBL\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nhttps://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html" ], "report_names": [ "nokoyawa-ransomware-possibly-related-to-hive-.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434944, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd0c3792ff89b25020bdd4eadd1e85168b71f961.pdf", "text": "https://archive.orkl.eu/cd0c3792ff89b25020bdd4eadd1e85168b71f961.txt", "img": "https://archive.orkl.eu/cd0c3792ff89b25020bdd4eadd1e85168b71f961.jpg" } }