{"id":19129,"date":"2022-05-28T19:02:57","date_gmt":"2022-05-29T03:02:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12862\/"},"modified":"2022-05-28T19:02:57","modified_gmt":"2022-05-29T03:02:57","slug":"news-12862","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12862\/","title":{"rendered":"New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Nokoyawa is a new Windows ransomware that appeared earlier this year. The earliest samples collected by FortiGuard researchers were compiled in February 2022 and share substantial code similarities with Karma, another ransomware that traces its lineage to Nemty through a long string of variants. Nemty is a ransomware family that FortiGuard Labs researchers reported on <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/nemty-ransomware-early-stage-threat\" style=\"background-color: rgb(255,255,255);\">back in 2019<\/a><span>.<\/span><\/p>\n<p>Recently, FortiGuard Labs encountered a new variant of this ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources. In this article, we discuss the general behavior of Nokoyawa Ransomware as well as the new features it recently added to maximize the number of files that can be encrypted.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>Affected Platforms:\u00a0<\/b>Windows<br \/> <b>Impacted Parties:\u00a0<\/b>Windows users<br \/> <b>Impact:\u00a0<\/b>Potential loss of files<br \/> <b>Severity Level:\u00a0<\/b>Medium<\/p>\n<h2>Nokoyawa Ransomware Overview<\/h2>\n<p>A general overview of how Nokoyawa works is provided here to avoid rehashing information previously presented by other researchers. Links to prior research can be referenced near the bottom of this article.<\/p>\n<p>Curiously, unlike its alleged ransomware predecessor Karma, that runs on both 32-bit and 64-bit Windows, FortiGuard Labs has only observed samples compiled to run exclusively on 64-bit Windows.<\/p>\n<p>Nokoyawa provides several command line options for customized executions:<\/p>\n<ul>\n<li><i>-help<\/i>: Print the list of command line options<\/li>\n<li><i>-network<\/i>: Encrypt files on all drives and volumes (both local and networked)<\/li>\n<li><i>-file filePath<\/i>: Encrypt a single file<\/li>\n<li><i>-dir dirPath<\/i>: Encrypt all files in specified directory and sub-directories<\/li>\n<\/ul>\n<p>If no argument is provided, Nokoyawa encrypts all local drives and volumes by default. The \u201c<i>-help<\/i>\u201d argument is interesting as it suggests that the ransomware developers might be a separate team from the operators deploying and executing the ransomware on infected machines.<\/p>\n<p>For speed and efficiency, Nokoyawa creates multiple threads for encrypting files that do not end with .exe, .dll, or .lnk extensions. Files with NOKOYAWA in their names are also skipped. In addition, some directories and their sub-directories are excluded from encryption by comparing the hash of their names with a list of hardcoded hashes.<\/p>\n<p>For each sample, the ransomware operators generate a fresh pair of Elliptic-Curve Cryptography (ECC) public and private keys (aka keypair) and then embed the public key into the ransomware binary. This pair of keys can be considered as \u201cmaster\u201d keys necessary for decrypting the files upon ransom payment. Assuming that each sample is deployed for a different victim, the ransomware operators eliminate the possibility of victims using a decryptor provided to another victim since each victim is linked to a separate \u201cmaster\u201d keypair.<\/p>\n<p>Before encrypting each file, Nokoyawa creates a new ephemeral keypair (victim file keys) unique to each file. Using the victim file\u2019s private key and the \u201cmaster\u201d public key from the threat actors, a 64-byte shared secret is generated with Elliptic-Curve Diffie-Hellmann (ECDH). The first 32 bytes of this shared secret are used as a Salsa20 key together with the hardcoded nonce \u2018lvcelvce\u2019 for encrypting the contents of each file.<\/p>\n<p>A SHA1 hash is generated based on the previously generated shared secret and the file content and is appended at the end of each encrypted file together with the victim file\u2019s public key and the string \u201cNOKOYAWA\u201d. This hash is likely to be used for checking data integrity during decryption.<\/p>\n<p>Consequently, the victim file\u2019s public key and the \u201cmaster\u201d private key owned by the ransomware operator are required to regenerate the Salsa20 key for decrypting each encrypted file.<\/p>\n<p>Files encrypted by the ransomware are appended with a .NOKOYAWA extension. The ransom note is written into NOKOYAWA_readme.txt in every directory included for encryption.<\/p>\n<h2>Ransomware Development Cheat Codes<\/h2>\n<p>The April 2022 samples we collected contain three new features to maximize the number of files that can be encrypted by Nokoyawa. These features were already present in contemporary ransomware families and their addition simply suggests an attempt by Nokoyawa developers to catch up with other operators in terms of technical capabilities.<\/p>\n<p>FortiGuard Labs researchers were able to determine that most of the added code was copied verbatim from publicly available sources, including the source of the now-defunct Babuk ransomware leaked in September 2021.<\/p>\n<p>One example of such blatant copying is the inclusion of functions to terminate processes and services to reduce the number of files locked by other programs so the encryption code can encrypt those files. The code (including the list of processes and service names) exactly matches the implementation in Babuk. The image in Figure 1 shows a side-by-side comparison of the service killer functions taken from Babuk\u2019s leaked source code (left) and Nokoyawa\u2019s decompiled code (right).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image.img.jpeg\/1653090412957\/fig1.jpeg\" alt=\"Example of Service killer functions from Babuk and Nokoyawa\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Service killer functions from Babuk and Nokoyawa<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The applications and services impacted by Nokoyawa include Microsoft Office applications, email clients, browsers, backup programs, security products, and database servers. Please refer to <b>Appendix A<\/b> for a complete list of the affected processes and services.<\/p>\n<p>It also includes code to enumerate and mount volumes to encrypt the files on these volumes, again reusing the exact code copied from the leaked Babuk source.<\/p>\n<p>In the latest samples we collected, it deletes volume snapshots by resizing the allocated space for snapshots of volume shadow copies to 1 byte via the <b>DeviceIoControl<\/b> API using the <b>IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE (<\/b>0x53c028) control code. This size would be too small to store snapshots, resulting in Windows deleting them. This technique was previously <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/stomping-shadow-copies-a-second-look-into-deletion-methods\">reported<\/a> by Fortinet and the implementation appears to be copied from a publicly available PoC. Previous samples did not delete volume shadow copies.<\/p>\n<p>For the above functionality to operate correctly, administrator privileges are required. Since we did not observe any Windows User Access Control (UAC) bypass being performed by the sample, it is likely that the operators use other means to escalate or obtain administrative privileges prior to executing the ransomware.<b><\/b><\/p>\n<h2>New Ransom Note with Onion URL<\/h2>\n<p>The ransom note and the way victims communicate with the perpetrators have also undergone a major change in the new variants.<\/p>\n<p>In the older samples from February, victims were instructed to contact the ransomware operators via email, as shown in Figure 2.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image_502080090.img.jpeg\/1653091620972\/fig2.jpeg\" alt=\"Screenshot of Previous ransomware note with redacted emails\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Previous ransomware note with redacted emails<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the Apr 2022 samples, however, the email addresses were removed. They were replaced with instructions to contact the ransomware operators through a .onion URL via a TOR browser. Each sample uses the same .onion domain in the ransom notes but the<b> id<\/b> parameter, which we presume to be the victim identifier, is unique for each sample (Figure 3).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image_401309843.img.jpeg\/1653091689134\/fig3.jpeg\" alt=\"Example of New ransomware note with the Onion URL\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. New ransomware note with the Onion URL<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>New Ransom Payment Page<\/h2>\n<p>Visiting the Onion URL leads to a page with an online chat box for communicating with the operators for negotiating and paying the ransom. FortiGuard Labs researchers observed an ongoing conversation between a possible victim (Company) and the ransomware operator (User). Based on this chat history, the threat actors offer free decryption of up to 3 files to prove that they can decrypt the victim\u2019s files (Figure 4).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image_1231607657.img.png\/1653091080802\/fig4.png\" alt=\"New payment page with chat box \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. New payment page with chat box <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The \u201cInstructions\u201d page shows the ransom amount, in this case a hefty 1,500,000 (presumably in USD), that could be paid in either BTC (Bitcoin) or XMR (Monero). After payment, the operators claim to provide the tool to decrypt the victim\u2019s files (Figure 5).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image_691473549.img.png\/1653091367458\/fig5.png\" alt=\"Ransom payment instruction page\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Ransom payment instruction page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Given the increasing professionalization of some ransomware campaigns, this TOR website may be an attempt to improve \u201cbranding\u201d or it may be a way to have a separate team handle ransom negotiations.<\/p>\n<p>Oddly enough, the ransom note includes the following message <i>\u201cContact us to reach an agreement or we will leak your black s**t to media,\u201d<\/i> which suggests that the victim&#8217;s data might have been exfiltrated during the infection. However, FortiGuard Labs researchers did not find such capabilities in the Nokoyawa samples. In fact, apart from the enumeration of networked drives, no network-related behaviors were observed at all. It may be possible that data exfiltration is performed separately by the operators, or they might be bluffing to further pressure victims into paying the ransom.<b><\/b><\/p>\n<h2>Conclusion<\/h2>\n<p>In this article, we highlighted the improvements that have been made to the new variant of Nokoyawa Ransomware. It also shows how threat actors can quickly add new capabilities to their malware with minimal effort by reusing publicly available code.<\/p>\n<p>FortiGuard Labs will continue to monitor Nokoyawa and emerging trends in the ransomware threat landscape.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>The FortiGuard Antivirus service detects and blocks this threat as <b>W64\/Filecoder.EV!tr<\/b>.<\/p>\n<p>Fortinet customers are protected from this malware through FortiGuard\u2019s <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/antivirus\">Antivirus<\/a>, and <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/content-disarm-reconstruction\">CDR<\/a> (content disarm and reconstruction) services and <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a>, and <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> solutions.<\/p>\n<p>Due to the ease of disruption, damage to daily operations, potential impact to the reputation of an organization, and the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date.<\/p>\n<p>Since the majority of ransomware is delivered via phishing, organizations should consider leveraging the Fortinet solutions designed to train users to understand and detect phishing threats:<\/p>\n<p>The\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">FortiPhish Phishing Simulation Service\u00a0<\/a>uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.<\/p>\n<p>We also suggest that organizations have their end users go through our free\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types of phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<p><u>Files (SHA256)<\/u><\/p>\n<p>A32b7e40fc353fd2f13307d8bfe1c7c634c8c897b80e72a9872baa9a1da08c46<\/p>\n<p>304e01db6da020fc1e0e02fdaccd60467a9e01579f246a8846dcfc33c1a959f8<\/p>\n<p>The existence of the following files might also indicate an infection:<\/p>\n<ul>\n<li>NOKOYAWA_readme.txt<\/li>\n<li>Filenames with \u201c.NOKOYAWA\u201d extension<\/li>\n<\/ul>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.sentinelone.com\/labs\/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise\" target=\"_blank\">https:\/\/www.sentinelone.com\/labs\/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/c\/nokoyawa-ransomware-possibly-related-to-hive-.html\" target=\"_blank\">https:\/\/www.trendmicro.com\/en_us\/research\/22\/c\/nokoyawa-ransomware-possibly-related-to-hive-.html<\/a><\/li>\n<li><a href=\"https:\/\/www.sentinelone.com\/labs\/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree\/\" target=\"_blank\">https:\/\/www.sentinelone.com\/labs\/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree\/<\/a><\/li>\n<li><a href=\"https:\/\/securelist.com\/evolution-of-jsworm-ransomware\/102428\/\" target=\"_blank\">https:\/\/securelist.com\/evolution-of-jsworm-ransomware\/102428\/<\/a><\/li>\n<\/ul>\n<h2>Appendix A<\/h2>\n<p>List of process names<\/p>\n<ul>\n<li>sql.exe\u00a0\u00a0\u00a0<\/li>\n<li>oracle.exe<\/li>\n<li>ocssd.exe<\/li>\n<li>dbsnmp.exe<\/li>\n<li>synctime.exe<\/li>\n<li>agntsvc.exe<\/li>\n<li>isqlplussvc.exe<\/li>\n<li>xfssvccon.exe<\/li>\n<li>mydesktopservice.exe<\/li>\n<li>ocautoupds.exe<\/li>\n<li>encsvc.exe<\/li>\n<li>firefox.exe<\/li>\n<li>tbirdconfig.exe<\/li>\n<li>mydesktopqos.exe<\/li>\n<li>ocomm.exe<\/li>\n<li>dbeng50.exe<\/li>\n<li>sqbcoreservice.exe<\/li>\n<li>excel.exe<\/li>\n<li>infopath.exe<\/li>\n<li>msaccess.exe<\/li>\n<li>mspub.exe<\/li>\n<li>onenote.exe<\/li>\n<li>outlook.exe<\/li>\n<li>powerpnt.exe<\/li>\n<li>steam.exe<\/li>\n<li>thebat.exe<\/li>\n<li>thunderbird.exe<\/li>\n<li>visio.exe<\/li>\n<li>winword.exe<\/li>\n<li>wordpad.exe<\/li>\n<li>notepad.exe<\/li>\n<\/ul>\n<p>List of service names<\/p>\n<ul>\n<li>vss<\/li>\n<li>sql<\/li>\n<li>svc$<\/li>\n<li>memtas<\/li>\n<li>mepocs<\/li>\n<li>sophos<\/li>\n<li>veeam<\/li>\n<li>backup<\/li>\n<li>GxVss<\/li>\n<li>GxBlr<\/li>\n<li>GxFWD<\/li>\n<li>GxCVD<\/li>\n<li>GxCIMgr<\/li>\n<li>DefWatch<\/li>\n<li>ccEvtMgr<\/li>\n<li>ccSetMgr<\/li>\n<li>SavRoam<\/li>\n<li>RTVscan<\/li>\n<li>QBFCService<\/li>\n<li>QBIDPService<\/li>\n<li>Intuit.QuickBooks.FCS<\/li>\n<li>QBCFMonitorService<\/li>\n<li>YooBackup<\/li>\n<li>YooIT<\/li>\n<li>zhudongfangyu<\/li>\n<li>sophos<\/li>\n<li>stc_raw_agent<\/li>\n<li>VSNAPVSS<\/li>\n<li>VeeamTransportSvc<\/li>\n<li>VeeamDeploymentService<\/li>\n<li>VeeamNFSSvc<\/li>\n<li>veeam<\/li>\n<li>PDVFSService<\/li>\n<li>BackupExecVSSProvider<\/li>\n<li>BackupExecAgentAccelerator<\/li>\n<li>BackupExecAgentBrowser<\/li>\n<li>BackupExecDiveciMediaService<\/li>\n<li>BackupExecJobEngine<\/li>\n<li>BackupExecManagementService<\/li>\n<li>BackupExecRPCService<\/li>\n<li>AcrSch2Svc<\/li>\n<li>AcronisAgent<\/li>\n<li>CASAD2DWebSvc<\/li>\n<li>CAARCUpdateSvc<\/li>\n<\/ul>\n<div><i>\u00a0<\/i><\/div>\n<div><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/div>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/nokoyawa-variant-catching-up\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/nokoyawa-variant-catching-up\/_jcr_content\/root\/responsivegrid\/image.img.jpeg\/1653090412957\/fig1.jpeg\"\/><br \/>FortiGuard Labs discovered a new variant of the Nokoyawa ransomware and observed that it has been evolving by reusing code from publicly available sources. Read our blog to learn more about the behavior and new features which maximize the number of files that can be encrypted.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-19129","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19129"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19129\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19129"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}