Nokoyawa ransomware attacks

BOTTOM LINE UP FRONT (BLUF):

Nokoyawa Ransomware, active since early 2022 and evolving to leverage Rust, employs IcedID for initial access, and exploits a vulnerability in the Microsoft Common Log File System (CLFS). Recently, the ransomware syndicate has been observed attacking institutions within Australia's Higher Education sector. To mitigate risks, members are advised to implement the recommendations within.?

EXECUTIVE SUMMARY:

Nokoyawa Ransomware, initially identified in February 2022, has undergone significant evolution, including a shift to the Rust programming language in September 2022. This ransomware variant demonstrates a complex attack path, often leveraging initial access through IcedID malware and exploiting vulnerabilities in Microsoft products.?

THREAT CONTEXT:

Nokoyawa, believed to have connections with the Hive group, has recently targeted an Information Technology company headquartered in Sydney, Australia. Additionally, member reporting has confirmed multiple attacks, which were detected within the Higher Education and Research sector.

The purported link to Hive brings additional credibility and risk to the Nokoyawa threat as both groups exhibit similar attack patterns and use comparable malware deployment and defence evasion tools.

Nokoyawa had targeted South American entities, particularly in Argentina, before attacking Australian entities. The impacted entity provides technical support to the Australian Government and participating in numerous government projects and advisories. ?

As with many ransomware groups, attacks are often opportunistic, however proactive steps should be taken by members to uplift their defences..

TECHNICAL INFORMATION:

At a high level, Nokoyawa's attacks follow a number of standard stages:

1. Initial Access: Exploitation of vulnerabilities (e.g., CVE-2023-28252) and targeted email campaigns delivering malicious payloads like IcedID.
2. Persistence: Establishment of persistence by dropping files into the AppData roaming folder and creating a scheduled task for regular execution.
3. Privilege Escalation and Reconnaissance: Utilisation of Cobalt Strike beacons, LSASS memory dumping, network scanning, domain enumeration, and reconnaissance activities.
4. Lateral Movement: Exploitation of DLL files, WMI commands, and batch files to propagate within the network. Compromised server connections and abuse of WMI and PsExec facilitate deployment.
5. Deployment and Encryption: Ransomware deployment to all domain-joined hosts, encryption of files and directories with the ".AWAYOKON" extension, deletion of volume shadow copies, and ransom note placement.

RECOMMENDATIONS:

1. Patch CVE-2023-28252: Members are recommended to refer to the advisory on the CI-ISAC member portal issued 13/4 and follow the recommended steps.
2. Utilise Endpoint Detection and Response (EDR):?Organisations can utilise an EDR solutions that employ behaviour-based detections to pick up commodity malware and techniques employed in this attack chain.
3. Block IoCs (Indicators of Compromise): Add the malicious IOCs available in the CI-ISAC member portal to your detections with a flag to investigate any positive matches.
4. Use YARA rules: Leverage the attached YARA rules (available within the member portal), which are designed to detect IcedID malware and Nokoyawa ransomware.
5. Identifying Exploitation Activity Through Residual Files: Upon completion, the exploit deposits exploitative files in a predetermined location within the "C:\Users\Public" directory. Organisations have the ability to ascertain whether the exploit was executed on their servers or the devices of their staff members by detecting the existence of files named "C:\Users\Public.container*", "C:\Users\Public\MyLog*.blf", and "C:\Users\Public\p_*".
6. Email Security: Enhance email security by filtering out malicious attachments and blocking macros, especially in outdated Microsoft Office installations.

DISCLAIMER:

CI-ISAC advisories are based on information gathered from open and closed sources and all efforts have been made to ensure that the information in this advisory is accurate and is provided ‘as is’ by CI-ISAC. Members are advised to take into account their own environment’s configuration and existing security controls to make a risk-informed decision before acting on the recommendations provided above.