Skip to main content

// group profile

nokoyawa

Inactive

Nokoyawa is a double-extortion ransomware group that launched a RaaS program in 2022 (operated by threat actor "farnetwork"), primarily targeting businesses in South America across healthcare, financial services, government, and manufacturing, gaining significant attention in 2023 for exploiting a Windows CLFS zero-day (CVE-2023-28252).

36

Victims

4

Sites

Victims (36)

Live

Studio Domaine LLC

Roman Catholic Diocese of Albany

Pea River Electric Cooperative

Muncy Homes

AT&S

nokoyawaSingapore

Village Church of Barrington

Modern Eyez

One Health Solutions

Tampa General Hospital

CANAROPA Inc

Roadies

CONEX

Miescor

nokoyawaPhilippines

MSX International

Gaston College

nokoyawaUnited States

City of Modesto

nokoyawaUnited States

Pueblo Mechanical & Controls

comcom-sgc

Guardian Fine Art Services

Accurate Auto Insurance

Stockmann Natursteine & Fliesen

Snodland C of E Primary School

nokoyawaUnited Kingdom

Sabin

Canadian Nurses Association

Rural Workforce Agency

nokoyawaAustralia

Known Leak Sites

nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onionDLS

6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onionDLS

lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onionDLS

noko65rmtaiqyt2cw2h4jrxe3u56t2k7ov3nd22hoji4c5vnfib2i4yd.onionDLS

Top Targeted Countries

United States4

Canada3

United Kingdom2

Singapore1

Morocco1

MITRE ATT&CK

T1486Data Encrypted for Impact

Rust-based encryptor using Salsa20

T1490Inhibit System Recovery

Deletes shadow copies

T1068Exploitation for Privilege Escalation

Used Windows CLFS zero-day CVE-2023-28252

T1059.001PowerShell

Uses Cobalt Strike and PowerShell

Activity

Total victims36

Countries affected8

Last seenNo recent activity

Explore

Ransomware NewsRelated articles

Check DecryptorsFree tools

Payment DataRansom tracking

MITRE ATT&CKTechniques

Live MapGlobal view

Source: ransomware.live|Refreshes every 5 min