{
	"id": "8243189f-6689-41c4-9689-4e2cd8bbd18d",
	"created_at": "2026-04-06T00:21:29.819048Z",
	"updated_at": "2026-04-10T13:13:09.560047Z",
	"deleted_at": null,
	"sha1_hash": "d6bf61669ae315f36644ae8194e51e3fcd6d7a7c",
	"title": "Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1375586,
	"plain_text": "Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin\r\nDisguise\r\nBy Antonis Terefos\r\nPublished: 2022-04-21 · Archived: 2026-04-05 18:14:37 UTC\r\nExecutive Summary\r\nAt the beginning of February 2022, SentinelLabs observed two samples of a new Nemty variant dubbed\r\n“Nokoyawa” (sample 1, 2).\r\nSentinelLabs consider Nokoyawa to be an evolution of the previous Nemty strain, Karma.\r\nThe developers have attempted to enhance code responsible for excluding folders from encryption, but\r\nSentinelLabs analysis finds that the algorithm contains logical flaws.\r\nIn March, TrendMicro suggested this ransomware bore some relation to Hive. We assess that Hive and\r\nNokoyawa are different and that the latter is not a rebrand of Hive RaaS.\r\nOverview\r\nIn this post, we take a broader look at the similarities between Nokoyawa and Karma ransomware. Previous\r\nresearchers have highlighted similarities in the attack chain between Nokoyawa and Hive ransomware, concluding\r\nthat “Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack\r\nchain, from the tools used to the order in which they execute various steps.” Our analysis contradicts that finding,\r\nand we assess Nokoyawa is clearly an evolution of Karma (Nemty), bearing no major code similarities to Hive.\r\nNokoyawa and Karma Variant Similarities\r\nBoth Nokoyawa and Karma variants manage multi-threaded encryption by creating an input/output (I/O)\r\ncompletion port (CreateIoCompletionPort), which allows communication between the thread responsible for the\r\nenumeration of files and the sub-threads (“2 * NumberOfProcessors”) responsible for the file encryption.\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 1 of 8\n\nNokyoawa (left) vs Karma, initialization of encryption threads\r\nIn both cases, public keys for the encryption and ransom note are encoded with Base64.\r\nLike Karma, Nokoyawa accepts different command line parameters, although in the latter they are documented by\r\nthe developer via a -help command.\r\nNokoyawa command line support\r\nAside from the -help command, three other commands ( -network , -file , and -dir ) are also provided.\r\nParameter Functionality\r\n-help Prints command line options for execution of ransomware.\r\n-network Encrypts local and network shares.\r\n-file Encrypts specified file.\r\n-dir Encrypts specified directory.\r\nIf the ransomware is executed without any parameter, it then encrypts the machine without enumerating and\r\nencrypting network resources.\r\nOne new parameter not observed in the Karma version is -network , which is responsible for encrypting network\r\nshares. Network enumeration is achieved by calling WNetOpenEnumW, WNetEnumResourceW, and\r\nWNetCloseEnum.\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 2 of 8\n\nThere are no significant similarities between the ransom notes except the use of email for contact points. Karma\r\nvariants contained an .onion link that was also present in the Karma ransom note. We did not find any .onion\r\nlinks in Nokoyawa code or ransom note.\r\nThe Nokyoawa ransom note:\r\nDear usernamme, your files were encrypted, some are compromised.\r\nBe sure, you can't restore it without our help.\r\nYou need a private key that only we have.\r\nContact us to reach an agreement or we will leak your black shit to media:\r\ncharlefletcher@onionmail.org\r\nJohnatannielson@protonmail.com\r\n亲爱的用户名，您的文件已加密，有些已被泄露。\r\n请确保，如果没有我们的帮助，您将无法恢复它。\r\n您需要一个只有我们拥有的私钥。\r\n联系我们以达成协议，否则我们会将您的黑屎泄露给媒体：\r\ncharlefletcher@onionmail.org\r\nJohnatannielson@protonmail.com\r\nThe Karma ransom note:\r\nYour network has been breached by Karma ransomware group.\r\nWe have extracted valuable or sensitive data from your network and encrypted the data on your systems\r\nDecryption is only possible with a private key that only we posses.\r\nOur group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that w\r\nScamming is just bad for business in this line of work.\r\nContact us to negotiate the terms of reversing the damage we have done and deleting the data we have\r\nWe advise you not to use any data recovery tools without leaving copies of the initial encrypted file\r\nYou are risking irreversibly damaging the file by doing this.\r\nIf we are not contacted or if we do not reach an agreement we will leak your data to journalists and\r\nhttp:\r\nIf a ransom is payed we will provide the decryption key and proof that we deleted you data.\r\nWhen you contact us we will provide you proof that we can decrypt your files and that we have downloa\r\nHow to contact us:\r\nJordanKelly@onionmail.org\r\ntommyshanahan@tutanota.com\r\nrichardwafflespencer1982@protonmail.com\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 3 of 8\n\nThe ransom note filename uses a similar format as the previous versions: \u003cransom_extension\u003e_\u003cnote_name\u003e.txt .\r\nNokoyawa Karma\r\nransom_extension “NOKOYAWA” “KARMA” \u0026 “KARMA_V2”\r\nnote_name “_readme.txt” “-ENCRYPTED.txt”\r\nThe \u003cransom_extension\u003e string has been used for many different functions, including:\r\nfile extension of encrypted files\r\nappended as data to an encrypted file\r\nransom note filename part\r\nmutex (the NOKOYAWA variant is observed to not make use of Mutexes)\r\nto denote files to be excluded from further processing (e.g., to avoid running in a loop)\r\nNokoyawa’s Flawed Encryption Routine\r\nDuring the file and folder enumeration, the new variant creates a hash of the enumerated folder and compares it to\r\nthose of excluded folders. However, this custom hashing algorithm appears to have flaws as it doesn’t seem\r\nlogical nor does it appear to work as expected.\r\nBelow is a Python representation of the hashing algorithm.\r\ndef nokoyawa_dir_hashing(folder):\r\n folder_len = len(folder)\r\n \r\n folder = '\\x00'.join([c for c in folder])\r\n \r\n nhash = 0x1505\r\n i = 0\r\n while i \u003c folder_len:\r\n c = ord(folder[i])\r\n \r\n c = c if c \u003c 0x61 else c - 0x20\r\n \r\n nhash = ((nhash \u003c\u003c 5) + nhash) + c\r\n \r\n i += 2 if not c else 1\r\n return nhash \u0026 0xFFFFFFFF\r\nThe implementation of this flawed hashing algorithm in some cases results in excluding multiple folders.\r\nLogically, one would expect there to be a 1:1 correlation between a hash and the folder to be excluded. However,\r\nthe flawed code effectively makes it possible for multiple folders to be excluded based on a single hash. This code\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 4 of 8\n\ndoes not appear in Karma variants, which instead contain hardcoded strings denoting which folders to ignore\r\nduring encryption.\r\nThe following table shows which folders the developers intended to skip during encryption.\r\nHash Folders Intended To Be Excluded\r\n0x11f299b5 program files\r\n0x78fb3995 program files (x86)\r\n0x7c80b426 appdata\r\n0x7c8cc47c windows\r\n0xc27bb715 programdata\r\n0xd6f02889 $recycle.bin\r\nFor extensions, the ransomware doesn’t have any hashing algorithm and compares the raw strings with the\r\nextracted extension of the file. The excluded extensions are .exe , .dll , and .lnk . Files containing\r\n“NOKOYAWA” are also excluded.\r\nBoth Nokoyawa and Karma variants dynamically load bcrypt.dll and call BCryptGenRandom in order to\r\ngenerate 0x20 random bytes. They generate an ephemeral Sect233r1 key pair using the generated random bytes as\r\nthe seed. The malware then uses the private ephemeral key and the public embedded key to generate a shared\r\nSalsa20 key, which is subsequently used for the file encryption. The Salsa20 nonce is hardcoded as “lvcelvce”\r\nin Nokoyawa, whereas in the Karma version it was \"11111111\" .\r\nAn I/O completion packet is sent to the thread responsible for encryption. The packet includes the following:\r\nFile handle\r\nFile size\r\nFile data\r\nSalsa20 key\r\nSalsa nonce\r\npublic ephemeral key\r\nThe encryption thread has a switch containing four cases, as follows:\r\nCase 1: Writes encrypted content and decryption struct to file and appends “extension”/”variant name”.\r\nCase 2: Calculates validation SHA1 hash and encrypts file data with Salsa20.\r\nCase 3: Closes File Handle and moves files with the new extension.\r\nCase 4: Exits.\r\nIn both variants, the initial switch case is “2”.\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 5 of 8\n\nInitial case, encryption thread\r\nEncryption thread case handler\r\nDuring Case 2, the malware adds a SHA1 checksum, which is possibly validated during the decryption phase. The\r\nmethod runs through the following logic:\r\nAllocates 0x13 bytes (0x14 required for SHA1)\r\nXORs Salsa key with a buffer of “6”.\r\nConcatenates file data to XORed Salsa key\r\nCalculates SHA1.\r\nXORs Salsa key with a buffer of “\\”.\r\nConcatenates SHA1 hash to the second XORed Salsa key.\r\nCalculates validation SHA1.\r\nValidation SHA1 hash first 0x13 bytes are added to the encrypted file struct\r\nFiles encrypted by Nokoyawa will have the following structure.\r\nstruct nokoyawa_encrypted_file\r\n{\r\n BYTE encrypted_file_data[file_size],\r\n BYTE public_ephemeral_key[0x40],\r\n BYTE validation_hash[0x13],\r\n STRING ransomware_extension\r\n}\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 6 of 8\n\nThe private key required for decryption is held by the attacker. When made available to the victim, the decryption\r\nroutine reads the struct, extracts the public ephemeral key and generates the Salsa 20 key using the private key.\r\nThe encrypted data is then decrypted with the key and validated by replicating the validated hash.\r\nConclusion\r\nNokoyawa code similarity and structure suggest it to be an evolution of the previous Nemty strain, Karma. This\r\nappears to be another attempt from the developer to confuse attribution. At this time, the actor appears not to have\r\nor provide any onion leak page.\r\nSentinelLabs could not validate previous research suggesting Nokoyawa is related to Hive. Given the lack of code\r\nsimilarities between the two and the lack of further correlating data, we can only suggest that earlier researchers’\r\nfindings may be explained by the possibility of an affiliate using both Hive and Nokoyawa.\r\nSentinelLabs continues to follow and analyze the development of Nemty ransomware variants.\r\nIndicators of Compromise\r\nKarma Ransomware SHA1\r\n960fae8b8451399eb80dd7babcc449c0229ee395\r\nNokoyawa Ransomware SHA1\r\n2904358f825b6eb6b750e13de43da9852c9a9d91\r\n2d92468b5982fbbb39776030fab6ac35c4a9b889\r\n32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7\r\nNokoyawa Ransom Note Email Addresses\r\nBrookslambert@protonmail.com\r\ncharlefletcher@onionmail.org\r\nJohnatannielson@protonmail.com\r\nSheppardarmstrong@tutanota.com\r\nNokoyawa YARA Rule\r\nrule Nokoyawa_Nemty\r\n{\r\n meta:\r\n author = \"@Tera0017\"\r\n description = \"Nokoyawa, Nemty/Karma ransomware variant\"\r\n Reference = \"https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wea\r\n \r\n strings:\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 7 of 8\n\n$code1 = {B8 (41| 43) 00 00 00 [10-30] 83 F8 5A}\r\n $code2 = {48 8B 4C 24 08 F0 0F C1 01 03 44 24 10}\r\n $code3 = {83 E8 20 88 [7] 48 C1 E0 05 48 03 44 24}\r\n $code4 = {48 C7 44 24 ?? 05 15 00 00}\r\n $string1 = \"RGVhciB1c2VybmFtbWUsIHlvdXIgZmlsZXMgd2VyZSBlbmNyeXB0ZWQsIHNvbWUgY\" ascii\r\n $string2 = \"-network\" fullword wide\r\n $string3 = \"-help\" fullword wide\r\n $winapi1 = \"PostQueuedCompletionStatus\" fullword ascii\r\n $winapi2 = \"GetSystemInfo\" fullword ascii\r\n $winapi3 = \"WNetEnumResourceW\" fullword ascii\r\n $winapi4 = \"GetCommandLineW\" fullword ascii\r\n $winapi5 = \"BCryptGenRandom\" fullword ascii\r\n \r\n condition:\r\n all of ($winapi*) and 4 of ($code*, $string*)\r\n}\r\nSource: https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nhttps://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/"
	],
	"report_names": [
		"nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise"
	],
	"threat_actors": [
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6bf61669ae315f36644ae8194e51e3fcd6d7a7c.pdf",
		"text": "https://archive.orkl.eu/d6bf61669ae315f36644ae8194e51e3fcd6d7a7c.txt",
		"img": "https://archive.orkl.eu/d6bf61669ae315f36644ae8194e51e3fcd6d7a7c.jpg"
	}
}