SkuggaheimarRansomwareNokoyawa
NOKOYAWA
RANSOMWARE
EXTORTION
RansomwareThreat IntelligenceJuly 06, 2025

Nokoyawa Ransomware Group

Nokoyawa is a exploited Windows CLFS zero-day CVE-2023-28252. This profile covers the group's operations, tactics, known campaigns, and defensive recommendations.

Nokoyawa is a exploited Windows CLFS zero-day CVE-2023-28252. This profile covers the group's operations, tactics, known campaigns, and defensive recommendations. This report provides Mjolnir Security's analysis of the group's operations, extortion model, known targeting, and recommended defenses.

Overview

Nokoyawa is a ransomware and/or data extortion operation tracked by Mjolnir Security. The group maintains a presence on the dark web where victim data is published to pressure payment. Operations typically involve double extortion: encrypting victim systems and threatening to leak stolen data.

Threat Level

Nokoyawa is an active ransomware/extortion threat. Organizations should review their ransomware readiness posture and ensure backup, detection, and incident response capabilities are current.

Tactics & Techniques

Common MITRE ATT&CK techniques observed in ransomware operations like Nokoyawa:

TechniqueDescription
T1486Data Encrypted for Impact
T1490Inhibit System Recovery
T1078Valid Accounts
T1059.001PowerShell Execution
T1567.002Exfiltration to Cloud Storage

Detection & Defense

Recommended defenses against Nokoyawa and similar ransomware groups:

How Mjolnir Security Can Help

Ransomware Defense & Response

Mjolnir Security provides ransomware readiness assessments, incident response, and threat intelligence to help organizations defend against extortion threats.

Ransomware Readiness Incident Response Threat Intelligence Red Team Assessment

Contact us: mjolnirsecurity.com

Written by: Mjolnir Security  |  Published: July 06, 2025
Related Reports
Ransomware Hub

All Ransomware Profiles

View All →
Threat Library

Full Threat Intelligence Catalog

Browse →