Nokoyawa Ransomware Attacks Exploited Windows Zero-Day


April 12, 2023

World map

Microsoft’s patch Tuesday security updates fixed nearly 100 vulnerabilities, most particularly a privilege escalation zero-day flaw CVE-2023-28252 impacting the Windows Common Log File System (CLFS) driver that has been exploited in Nokoyawa ransomware attacks.

“CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System,” Security Week reports.

“The Nokoyawa ransomware family, which is designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid.”

Takeaway: The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in nation-state operations.

Ransomware attacks used to be clumsier and more random, basically, a numbers game where massive email spam campaigns or drive-by watering hole attacks were designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin.

"It is highly unusual to see ransomware gangs using zero-day exploits targeting vulnerabilities in Windows, as these exploits are highly valuable to attackers and usually leveraged in nation-state operations as opposed to cybercriminal attacks," Jon Miller, CEO and co-founder of Halcyon, told the CyberWire.

Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019, for which patches were already available. Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

"For many of these vulnerabilities, exploits have been available for quite some time. And in many cases, the exploits have been built into toolkits and largely automated. This is why we have seen an increase in more sophisticated attack sequences in ransomware attacks. However, the use of zero-days of this caliber is almost unprecedented," Miller continued.

The Nokoyawa ransomware family bears a striking resemblance to the Hive ransomware that was first observed in June of 2021 and is responsible for some major disruptions that impacted COVID-19 responses, including an attack on a hospital that delayed care for patients.

In July of 2022, the FBI penetrated the Hive network and provided decryption keys to victims worldwide, which has diminished the effectiveness of Hive operations, but Nokoyawa could be the group's successor.

According to the FBI, Hive claimed more than 1,500 victims who were extorted for more than $100 million in ransom payments as of November 2022 and were one of the most active of all observed attack groups in 2022.

"Organizations with the right controls in place stand the best chance of disrupting these attacks at initial ingress when these known exploits are likely to be used or when the attackers begin to move laterally on the network and seek to escalate privileges," Miller explained.

"The ransomware payload is the very tail-end of a longer attack. Thus, a multi-layer defense strategy designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster."

For more information on how Halcyon efficiently and effectively defeats ransomware attacks, contact our Sales Team at or visit to request a free consultation with a ransomware expert.