Connect with us

Hi, what are you looking for?



As Cybercriminals Recycle Ransomware, They’re Getting Faster

Keep your response up to speed as attackers get faster

Keep your response up to speed as attackers get faster

Like history, ransomware repeats itself. Researchers recently encountered a new variant of a ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources. Let’s take a closer look at this variant, as well as what organizations need to do to remain secure in light of the current threat recycling landscape.

Ransomware’s recycling campaign

Nokoyawa is a new ransomware for Windows that first appeared at the beginning of this year. The first samples found by FortiGuard researchers were gathered in February 2022 and contain significant coding similarities with Karma, a ransomware that can be traced back to Nemty via a long series of variants. The Nemty ransomware family was first reported on by these researchers in 2019. 

The security researchers recently discovered a new variation of this ransomware campaign and noted that the variant has been improving itself by reusing code from publicly available sources. The April 2022 samples include three new features that increase the number of files that Nokoyawa can encrypt. These features already existed in recent ransomware families, and their addition just indicates that Nokoyawa developers are trying to match pace with other operators in terms of technological capability.

The majority of the additional code was copied exactly from sources that were publicly available, including the source of the now-defunct Babuk ransomware leaked in September 2021. For example, criminals included functions to stop processes and services that lower the number of files locked by other programs so the encryption code can encrypt those files. The code – including a list of processes and service names – is identical to Babuk’s implementation.

Nokoyawa also includes code to enumerate and mount volumes in order to encrypt the files on these volumes, which is based again on the same code that was leaked from the Babuk source. It deletes volume snapshots by resizing the allocated space for snapshots of volume shadow copies to 1 byte – and because this size is insufficient for storing snapshots, Windows will delete them. The code looks to be plagiarized from a publicly available proof-of-concept. 

Advertisement. Scroll to continue reading.

Unsafe at any speed – and getting faster 

The Nokowaya is just another indication that bad actors can move faster than ever – in this case by modifying existing malware with minimal effort using recycled code. 

It’s not the only such example we’ve seen. Last year, we saw this happen with Log4j.  The critical vulnerability in the Apache Log4j Java-based logging framework was so simple to exploit that it allowed attackers to take total control of affected systems. In just a matter of days, Log4j became the most common IPS detection in the second half of 2021.  We also saw that criminals have used a rebranding of DarkSide called BlackMatter on several attacks on U.S. infrastructure. 

While recycling of this kind isn’t exactly new, it’s definitely becoming a more popular tactic for bad actors – with the rise of Ransomware-as-a-Service making it even easier.

Two strategies for stronger security

First, organizations need a deeper understanding of attack techniques. Our researchers analyzed the functionality of malware they’d detected and created a list of the specific tactics, techniques and procedures (TTPs) that the malware would have carried out if the attacks had occurred. This information demonstrates that stopping an attacker early is more important than ever, and that focusing on a few of the detected TTPs can effectively stop a malware’s assault capabilities in some instances.

The top three strategies for the “execution” phase, for instance, represent 82% of the activity. Nearly 95% of the measured functionality is represented by the top two approaches for gaining a foothold in the “persistence” phase. Using this research to prioritize security strategies can have a significant impact on how businesses maximize their protection.

Second, cyber hygiene training is a necessity for everyone in the organization, with home workers, not just organizations, being targets of cyberattacks. Toward this end, there are now many free cybersecurity courses available, including more advanced programs for cybersecurity professionals. Learning the fundamentals of cyberwarfare can help everyone defend their organizations against attacks. Multi-factor authentication and password protection can help protect remote workers’ personal information, and knowing how to spot phishing emails and malvertising schemes will help employees avoid falling for these social engineering ploys.

Staying ahead of the adversary

Everything old is new again in the world of ransomware development. Bad actors are highly efficient; they find out what’s worked before and incorporate it into their new variants. It’s a kind of malware best-of-the-best that no one but criminals want to see. Ransomware-as-a-Service only exacerbates the destructive potential of these new variants. But organizations can strengthen their security posture by getting detailed information on current attack techniques and keeping their employees’ cyber hygiene training up to date.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.