The attacker improved the Nokoyawa ransomware by reusing code from publicly available sources.
- Most of the added code was copied from the code of the Babuk ransomware program ;
- The ransom note changed the method of communication with the attacker. Now the victim must contact the cybercriminal via the Onion URL using the TOR browser. Previously, only the email address was specified.
- Now you can maximize the number of encrypted files.
For each victim, the Nokoyawa operator generates a key pair based on ECC cryptography (Elliptic Curve Cryptography), and then embeds the public key into the binary file of the extortionist program. A pair of keys can be considered as “master keys” for decrypting files when paying a ransom.
Encrypted files are added with the extension .NOKOYAWA, and a ransom note is written to a file NOKOYAWA_readme.txt in each encrypted directory.
Onion URL leads to an online chat page for negotiations with the operator and payment of the ransom. During the correspondence, the attacker offered to decrypt 3 files for free as evidence that a cybercriminal can decrypt all the victim’s files.
The “Instructions” page shows the amount of the ransom that can be paid in Bitcoin or Monero cryptocurrencies. According to the Nokoyawa operator, after payment, the attacker will provide a tool to decrypt the victim’s files.
Earlier, cybersecurity researchers discovered a new version of the Chaos ransomware designer called Yashma, which can stop the work of antivirus software and backup software.