Skip to main content

Home Nokoyawa ransomware

Nokoyawa ransomware

Also known as: Nevada

Category: Malware

Type: Ransomware

Platform: Windows

Variants: Nokoyawa 1.0, Nokoyawa 1.1, Nokoyawa 2.0 and Nokoyawa 2.1 (Nevada)

Damage potential: Malware infection, data encryption, file corruption and loss, system performance issues, network connectivity problems, operational disruption, reputation damage, and financial loss.


Nokoyawa is a sophisticated new strain of ransomware targeting small and medium-sized organizations. A Nokoyawa attack involves encrypting files and demanding payment (typically in cryptocurrency) in exchange for a decryption key. The attackers exploit a known vulnerability (CVE-2023-28252) in Windows servers to gain unauthorized access to the system and deploy Nokoyawa. This ransomware is unique because, unlike many other ransomware types, it uses an uncommon elliptic curve cryptography (ECC) routine.

Possible symptoms

The main symptom of a Nokoyawa infection is file encryption or not being able to open and use your files. Other symptoms include:

  • A ransom note appears on the desktop (NOKOYAWA_readme.txt).
  • Changed file extensions (to .NOKOYAWA).
  • Slower computer performance.
  • Antivirus alerts about an infection.
  • Increased CPU and disk activity.
  • Unusual network activity.
  • Internet connection issues.
  • Disabled antivirus software.

Sources of infection

Nokoyawa ransomware spreads in many ways, with attackers often using malware droppers to infect systems and networks. Let’s look at the most common ways Nokoyawa spreads.

  • Social engineering tactics. Attackers may distribute Nokoyawa through phishing emails or spear phishing attacks targeting employees.
  • Malicious attachments. Employees may receive spam emails containing infected attachments that install Nokoyawa when opened.
  • Malicious links. Ransomware can also be delivered through malicious links in emails or on social media platforms.
  • Infected external drives. Nokoyawa ransomware may also spread via infected USBs, external hard drives, or other removable media.
  • Drive-by downloads. Victims may unknowingly download Nokoyawa by visiting compromised or malicious sites.
  • Malvertising. Sometimes Nokoyawa spreads through malicious ads, with users unknowingly downloading ransomware when they click on them.
  • Security vulnerabilities. Attackers may target unpatched security vulnerabilities in the system or network to gain access and distribute Nokoyawa.


Ransomware attacks can seriously damage organizations, both operationally and financially. Here’s how to protect networks and devices from Nokoyawa ransomware:

  • Regularly install updates. Hackers often look for security vulnerabilities as a way into the system. Make sure you install updates without delay.
  • Keep your data backed up. Nokoyawa infections will have less of an effect on your organization if all your files are securely backed up.
  • Educate employees about cybersecurity. Running company-wide training sessions can help organizations prevent ransomware attacks.
  • Use NordVPN’s Threat Protection. Threat Protection is an advanced NordVPN feature that blocks malicious sites, intrusive web trackers, and annoying ads. Plus, it checks files for malware during download.


Removing Nokoyawa ransomware from a company network can be challenging. It’s best to work with a reliable specialist and use a reputable antivirus. If you don’t have your data backed up, you may need to use a trusted ransomware decryption tool to access it without paying the attackers. Generally, giving in to the attackers’ demands is not recommended because it supports this illegal activity and doesn’t guarantee you’ll get your files back.