Farnetwork, a Russian-speaking threat actor operating the Nokoyawa ransomware-as-a-service (RaaS) has been named in at least five other ransomware strains, including JSWORM, Nefilim, Karma, Nemty, and RazvRAT.
Cybersecurity researchers from Group-IB have exposed ‘farnetwork’ and the group’s journey in the cybercrime world by detailing how they handled the RaaS business. The threat actor has been active on multiple Russian-speaking hacker forums, using various usernames such as ‘farnetworkl’, ‘jingo’, ‘jsworm’, ‘razvrat’, ‘piparkuka’, and ‘farnetworkitand’, while attempting to recruit affiliates for different ransomware operations.
Researchers found out that in March, ‘farnetwork’ began searching for affiliates for their Nokoyawa-based ransomware-as-a-service program. However, they clarified they were not involved in the development of Nokoyawa itself.
However, this venture didn’t last long, as ‘farnetwork’ recently announced their retirement from the scene. In October, they shut down the Nokoyawa RaaS program following the data leak from 35 victims. Researchers believe this abrupt move is part of the threat actor’s strategy to cover their tracks and reemerge under a new brand.
In the Nokoyawa ransomware ecosystem, ‘farnetwork’ served as a project leader, affiliate recruiter, promoter of the RaaS on darknet forums, and botnet manager. The botnet provided affiliates with direct access to compromised networks, with a financial arrangement that included the botnet owner receiving 20% of the collected ransom, while the ransomware owner would receive 15%. This division of profits accounted for the effort required to find suitable targets and breach them.
To test affiliate candidates, ‘farnetwork’ supplied them with corporate account credentials sourced from the Underground Cloud of Logs (UCL) service, which sells stolen logs from info-stealers like RedLine, Vidar, and Raccoon. Affiliates were expected to escalate their privileges on the network, steal files, execute the encryption process, and demand a ransom payment.
Group-IB’s investigation revealed a timeline of the past activities of the group dating back to January 2019, including associations with the JSWORM, Nemty, Nefilim, and Karma ransomware strains. ‘farnetwork’ actively promoted these programs on various hacker forums.
The investigation shows that while ransomware operations may change and evolve, seasoned individuals like ‘farnetwork’ remain at their core, ensuring the continuity of illicit cyber activities under the new framework.
In the News: Big tech coalition launches Lantern program to combat CSAM
