Nokoyawa is a ransomware family operated in a ransomware-as-a-service ecosystem and linked in reporting to historical RaaS operations including Nemty, Nemty X, Karma, and JSWORM. Reporting also links Nokoyawa to the aliases and personas around “salfetka,” “rinc,” and “farnetwork,” and to Volodymyr Tymoshchuk, who has been associated with JSWORM, Karma, Nemty, and Nokoyawa ransomware platforms. Microsoft reporting states that DEV-0237 routinely deployed Nokoyawa in May 2022 after previously experimenting with it when not using Hive.
Observed Nokoyawa intrusions show rapid progression from initial access to encryption. In a documented November 2022 case, the intrusion began with a thread-hijacked phishing email delivering a malicious HTML smuggling attachment, which downloaded a password-protected ZIP containing an ISO. User interaction with a LNK file in the mounted ISO executed an IcedID DLL via a renamed rundll32 binary. IcedID established persistence through a scheduled task, performed host and domain discovery, and downloaded follow-on payloads from attacker infrastructure including trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, and IPs 5.255.103[.]16:443 and 5.8.18[.]242:443. About three hours after IcedID execution, operators deployed Cobalt Strike, accessed LSASS memory, used valid accounts and RDP for lateral movement, ran AdFind and SessionGopher for Active Directory and credential discovery, and used SoftPerfect netscan.exe before staging ransomware.
In that case, the attackers copied the Nokoyawa binary as k.exe and a batch file p.bat across the environment using SMB, WMIC, and PsExec, then remotely created a service named mstdc to execute the batch file as SYSTEM. Nokoyawa was executed on a domain controller and other hosts roughly 12 hours after initial infection. The ransomware configuration was set to encrypt network resources, load hidden drives, and delete volume shadow copies. It excluded common system directories including Windows, Program Files, Program Files (x86), AppData, ProgramData, and System Volume Information, and excluded extensions such as .exe, .dll, .ini, .lnk, and .url from encryption.
High-confidence infrastructure and host artifacts mentioned in reporting include the hostname WIN-5J00ETD85P5, the service name mstdc, the staged ransomware filename k.exe, and associated delivery and C2 infrastructure trentonkaizerfak[.]com, pikchayola[.]pics, questdisar[.]com, 5.255.103[.]16:443, and 5.8.18[.]242:443. Reporting attributes the malware distribution in the November 2022 intrusion to TA551 and the hands-on-keyboard activity to Microsoft-tracked Storm-0390, managed by Periwinkle Tempest.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive.
Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller... The time to ransomware (TTR) was just over 12 hours from the initial infection.
5 distinct techniques documented for this family, organized by ATT&CK tactic.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware operation referenced in connection with aliases linked to the seller of INC source code.
Referenced as a historical RaaS/ransomware operation with TTP overlap to INC Ransom (no additional details provided).
Nokoyawa is a ransomware family associated with the same administrator as JSWORM, Karma, and Nemty.
Ransomware-as-a-Service platform used in cyber extortion campaigns.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.