Nokoyawa attacks Muncy Homes

Incident Date:

July 29, 2023

World map



Nokoyawa attacks Muncy Homes


Muncy Homes




Muncy, USA

Pennsylvania, USA

First Reported

July 29, 2023

The Nokoyawa Ransomware Gang's Attack on Muncy Homes

The Nokoyawa ransomware gang has attacked Muncy Homes. Muncy Homes is a company that specializes in constructing modular and manufactured homes. The company has operated for several decades and has established itself as a prominent player in the housing industry. Muncy Homes offers a range of housing options, including single-family homes and multi-family structures, all built in a controlled factory environment.

Nokayawa posted Muncy Homes to its data leak site on July 29th, threatening to publish all stolen data by August 2nd if the organization fails to pay an unspecified ransom.

The Origins and Evolution of Nokoyawa Ransomware

The Nokoyawa ransomware gang was detected in February 2022 and displayed code similarities with another ransomware group, Karma. The origins of Nokoyawa ransomware can be traced back to the Nemty ransomware. The initial iteration of Nokoyawa ransomware was coded using the C programming language and employed asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (also referred to as NIST B-233). This cryptographic method utilized the Tiny-ECDH open-source library and combined it with a Salsa20 symmetric key unique to each file.

The subsequent version, Nokoyawa ransomware 2.0, maintains the use of Salsa20 for symmetric encryption but replaced the elliptic curve with Curve25519. Nokoyawa 2.0 was crafted using the Rust programming language and seems to have been developed around September 2022. The shift to Rust is not unprecedented in ransomware development. Prior instances include the Hive and Agenda/Qilin ransomware families, which transitioned from the Go programming language to Rust. Furthermore, the author of RansomExx transformed their ransomware's code from C++ to Rust. The BlackCat/ALPHV ransomware family is also an example of ransomware compiled in Rust.

The growing popularity of Rust can be attributed to its focus on efficiency and concurrency, factors that enhance the effectiveness of file encryption in ransomware. Similar to the previous Nokoyawa version, the Rust iteration exclusively compiles for 64-bit Windows versions.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.