Cyber Threat Actor: Nokoyawa
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
2 incidents |
|---|
Profile
Nokoyawa is a threat actor known by that alias and has been associated with operations originating from the United States of America. Public reporting links the actor to a series of cyber incidents that have affected organizations within the country. The actor’s activities have come to light through notifications from victims and subsequent forensic analyses. No public attribution to a state sponsor or criminal consortium has been made for Nokoyawa.
In March 2023, Nokoyawa was identified as responsible for a prolonged unauthorized access event at MercyOne Clinton Medical Center that lasted over a month and resulted in the compromise of personal, medical, financial and insurance data for more than twenty thousand individuals. The incident disrupted hospital operations but did not impact direct patient care, and the organization restored systems from backups while acknowledging some unrecoverable data loss. In January 2023, the same actor was linked to a ransomware attack against Nantucket Public Schools that forced the closure of the district for several days and led to the shutdown of internet, security cameras, phones and all devices as a precaution. External cybersecurity experts assisted the school’s IT team in restoring most servers, allowing limited resumption of classes with student Chromebooks remaining functional while staff devices stayed inaccessible. The attackers withdrew their ransom demand after pushback from the district, and no payment was made. Both cases illustrate Nokoyawa’s focus on targeting healthcare and education sectors within the United States, using techniques that enable network infiltration and data encryption or exfiltration. The observed outcomes include service disruption, data loss and the implementation of post‑incident remedial measures such as credit monitoring offers and system hardening.
