What We Do
How we do it
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Security advisories — Apr 12, 2023

Microsoft Zero-Day Vulnerability Abused in Nokoyawa Ransomware Attacks

2 minutes read
Speak With A Security Expert Now


On April 11th, 2023, as part of Microsoft’s monthly Patch Tuesday release, Microsoft disclosed a zero-day vulnerability in the Windows Common Log File System (CLFS), which cybercriminals are actively exploiting to deploy Nokoyawa ransomware payloads. 

The vulnerability, tracked as CVE-2023-28252 (CVSS: 7.8), is a Privilege Escalation vulnerability in the Windows Common Log File System Driver; it impacts all supported Windows servers and client versions. Successful exploitation enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.

As exploitation of CVE-2023-28252 has been confirmed, immediate patching is strongly recommended. eSentire has detections in place to identify Nokoyawa ransomware precursors and variants.

What we’re doing about it

What you should do about it

Additional information

Exploitation of CVE-2023-28252 was first discovered by researchers from Kaspersky, who reported the vulnerability to Microsoft. Initial exploitation of the vulnerability was identified in February 2023. Related attacks have been identified impacting small and medium-sized businesses in the retail & wholesale, energy, manufacturing, healthcare, software development and other industries in the Middle East, North America, and Asia regions. There is no indication that these industries or locations were specifically targeted; other industries and countries are expected to be impacted in the future.

Nokoyawa is a strain of ransomware that surfaced in February 2022. It is capable of impacting 64-bit Windows-based systems in attacks. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has previously been connected to the HIVE ransomware group. In September 2022, a Rust version of the ransomware was identified, in a switch from the initial Nokoyawa ransomware version, developed using the C programming language. Threat actors deploying Nokoyawa ransomware are known to employ the double extortion technique, where data is exfiltrated prior to ransomware deployment, and used to extort victims with the threat of data sale or public release.

To successfully exploit CVE-2023-28252, threat actors require previous access to a vulnerable device. It is currently unclear how threat actors gained access to systems prior to ransomware deployment. Organizations are recommended to review and apply the best practices for ransomware defense as provided by CISA in the #StopRansomware initiative.

In response, CISA added the vulnerability to its catalogue of Known Exploited Vulnerabilities, ordering FCEB agencies to secure their systems against it by May 2nd, 2023.


[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252
[2] https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware

View Most Recent Blogs