Source code recycling is becoming a trend for new ransomware strains

Source Code Recycling Trend Ransomware Strains

Recently, experts noticed several threat actors have started reusing ransomware codes from available sources in the threat landscape. Researchers have observed a new ransomware campaign called Nokoyawa, and they confirmed that the strain is improving drastically by following a similar strategy of source code recycling.

The Nokoyawa ransomware first emerged last February. Its code overlaps with the Karma ransomware and is seen in Nemty ransomware. The samples from April also revealed that three new functions increased the number of files that can be encrypted in each attack.

These tools already existed in the latest ransomware strains, which implies that Nokoyawa ransomware was slowly catching up to recent ransomware variants.


Most of the extra code was duplicated by threat actors from publicly available sources, such as the source code of the Babuk ransomware.


Last March, a researcher suggested that the Nokoyawa group is affiliated with another ransomware group known as Hive. The researcher confirmed its allegations after the two groups showed similarities between its Cobalt Strike and other kits. In addition, the researchers noticed that the two groups’ information harvesting and lateral deployment were identical.

However, a separate researcher identified that the Nokoyawa strain is part of the Nemty ransomware family, meaning it does not have any linkage to Hive. The researcher made its conclusions since both Nokoyawa and Nemty manage muti-threat encryption and are encoded in Base64.

The source code recycling strategy the Nokoyawa group uses implies that recent threat actors can execute their attacks faster and requires little effort. Malicious threat groups, such as BlackCat, have adopted this technique since their source code is a rebrand of another hacker group called DarkSide.

AstraLocker is another ransomware developed on the source code of Babuk ransomware, which researchers proved since their campaign markers were similar.

As of now, old ransomware has been a reliable source of code for rebranding as it contains blueprints of past attacks. Hence, recycling codes allows an attacker to have an efficient cybersecurity attack. Therefore, researchers would still need to understand past ransomware strains to address these newly emerging recycled ransomware strains.

Experts suggest that organisations can build a strong security wall by studying the past for a more secure cybersecurity strategy.

About the author

Leave a Reply