Operator dossier

Nokoyawa is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 36 public victims claimed by this operator between December 9, 2022 and August 4, 2023. Nokoyawa is a ransomware group that emerged in December 2022, operating with primarily financial motivations and targeting organizations across multiple sectors including healthcare, non-profit, education, finance, and energy. The group has claimed at least 36 victims since its emergence, with attacks predominantly focused on the United States, Canada, United Kingdom, France, and the Philippines. While detailed technical analysis of Nokoyawa's operations remains limited in public reporting, the group appears to follow conventional ransomware tactics targeting critical infrastructure and essential services sectors. Their targeting of healthcare and educational institutions suggests they operate without the sector restrictions that some other ransomware groups have adopted. Notable campaigns include attacks across their preferred geographic regions, though specific high-profile incidents have not been extensively documented in public threat intelligence reporting from major security firms. As of current reporting, Nokoyawa appears to remain an active threat, though the group's relatively recent emergence means long-term operational patterns and potential law enforcement disruption efforts are still developing.

Most-targeted sectors

Healthcare4 victims
Non-Profit2 victims
Education2 victims
Finance1 victims
Energy1 victims
Media1 victims

Most-affected countries

United States6 victims
Canada3 victims
United Kingdom2 victims
France1 victims
Philippines1 victims
Brazil1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Nokoyawa

36 victims indexed · first seen 3 years ago · last activity 3 years ago

Victims indexed

#121 of 348 tracked operators

Active period

Dec 2022 → Aug 2023

Countries hit

top United States · 6

At a glance

Status: inactive
First seen: 3 years ago
Last activity: 3 years ago
Onion sites: 6 known endpoints
Primary sector: Healthcare · 4 hits

About

Nokoyawa is a ransomware group that emerged in December 2022, operating with primarily financial motivations and targeting organizations across multiple sectors including healthcare, non-profit, education, finance, and energy. The group has claimed at least 36 victims since its emergence, with attacks predominantly focused on the United States, Canada, United Kingdom, France, and the Philippines. While detailed technical analysis of Nokoyawa's operations remains limited in public reporting, the group appears to follow conventional ransomware tactics targeting critical infrastructure and essential services sectors. Their targeting of healthcare and educational institutions suggests they operate without the sector restrictions that some other ransomware groups have adopted. Notable campaigns include attacks across their preferred geographic regions, though specific high-profile incidents have not been extensively documented in public threat intelligence reporting from major security firms. As of current reporting, Nokoyawa appears to remain an active threat, though the group's relatively recent emergence means long-term operational patterns and potential law enforcement disruption efforts are still developing.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/nokoyawa

Timeline

4 months

2022-12-01T00:00:00+00:002023-08-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇨🇦 Canada

🇬🇧 United Kingdom

🇫🇷 France

🇵🇭 Philippines

🇧🇷 Brazil

🇦🇺 Australia

🇲🇦 MA

United States dossier →Canada dossier →United Kingdom dossier →France dossier →

Top sectors

Healthcare

Non-Profit

Education

Finance

Energy

Media

Government

Healthcare dossier →Non-Profit dossier →Education dossier →Finance dossier →

MITRE ATT&CK

10 techniques · 8 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1082System Information Discovery
T1083File and Directory Discovery
T1021Remote Services
T1005Data from Local System
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

6 known

http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion
http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion
http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/
http://noko65rmtaiqyt2cw2h4jrxe3u56t2k7ov3nd22hoji4c5vnfib2i4yd.onion
http://noko65rmtaiqyt2cw2h4jrxe3u56t2k7ov3nd22hoji4c5vnfib2i4yd.onion/api/leaks/get
http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.