The Nokoyawa Ransomware is a mostly unknown threat, but that by no means means that it is less destructive than other more notorious ransomware threats. Once it has managed to infiltrate the targeted computers, Nokoyawa will activate its encryption routine and lock numerous types of important files found on the devices.
According to a report published by the researchers, in its encryption process, Nakoyawa uses the BCryptGenRandom API and generates a new value for each target file. It also uses an encrypted nonce: ‘lvcelcve’ and Salsa to encrypt the victim’s data. The key used is then encrypted via an ECDH key pair. However, the discovered samples of Nakoyawa did not use a packer, leaving their strings of code exposed and easy to parse.
Cyber criminals behind NOKOYAWA Ransomware use .NOKOYAWA extension to rename specific data. For example, a file like 1.xlsx will change its name to 1.xlsx.NOKOYAWA and restore the original icon as well. Therefore, the successful activation is followed by the creation of a ransom note (the NOKOYAWA_readme.txt) file arrives on the desktop.
Inside this note, cyber criminals try to convince victims to opt for paid decryption. Duplicate information in English and Chinese directing you to contact the extortionists through one of their email addresses (brookslambert@protonmail.com or sheppardarmstrong@tutanota.com). If the victims reject their suggestions, the scammers threaten to publish, as they say, “black shit” on open access resources. The decryption price is kept secret until the victims strengthened the contact and is also likely to be assessed individually for each victim.
In other words, the amount of the ransom can vary a lot depending on the value of the captured data but… One thing we always ask and recommend is that you do not trust cyber criminals as following their demands may simply cost you a loss of money and It’s safer that you won’t get anything back.
