The operator of the Nokoyawa ransomware-as-a-service (RaaS), a menace actor generally known as ‘farnetwork’, constructed expertise over time by serving to the JSWORM, Nefilim, Karma, and Nemty affiliate packages with malware growth and operation administration.
A report from cybersecurity firm Group-IB supplies perception into farnetwork’s exercise and the way they progressively constructed their profile as a extremely lively participant within the ransomware enterprise.
In interactions with menace intelligence analysts, farnetwork shared useful particulars that hyperlink them to ransomware operations beginning 2019 and a botnet with entry to a number of company networks.
In accordance with a report Group-IB shared with BleepingComputer, the menace actor has a number of usernames (e.g. farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand) and has been lively on a number of Russian-speaking hacker boards attempting to recruit associates for varied ransomware operations.
In March, although, farnetwork began searching for associates for his or her ransomware-as-a-service program primarily based on the Nokoyawa locker. Nevertheless, Group-IB’s menace intelligence analysts say that the actor made it clear that they weren’t concerned within the growth of Nokoyawa.
Working the RaaS enterprise did not final very lengthy as farnetwork introduced lately that they’d retire from the scene and in October they shut down the Nokoyawa RaaS program, after leaking information of 35 victims.
Nevertheless, Group-IB believes that this transfer is a part of the menace actor’s technique to lose their tracks and begin afresh beneath a brand new model
Operations supervisor
In Nokoyawa ransomware, farnetwork acted as a undertaking chief, affiliate recruiter, promoter of the RaaS on darknet boards, and botnet supervisor.
The botnet enabled associates direct entry to already compromised networks. For this perk, they’d pay the botnet proprietor 20% from the collected ransom and the ransomware proprietor would get 15%.
A 65% reduce for the ransomware affiliate might appear to be a foul deal, contemplating that different packages pay as much as 85% of the ransom, however the price coated the trouble of discovering an acceptable goal and breaching it.
Farnetwork examined affiliate candidates by offering them with a number of company account credentials sourced from the Underground Cloud of Logs (UCL) service, which sells logs stolen by info-stealers similar to RedLine, Vidar, and Raccoon.
The associates had been anticipated to escalate their privileges on the community, steal information, run the encryptor, and demand a ransom cost.
Timeline of previous actions
Group-IB has been in a position to monitor farnetwork’s actions way back to January 2019 and located connections to the JSWORM, Nemty, Nefilim, and Karma ransomware strains.
In April 2019, farnetwork promoted the JSWORM RaaS program on the Exploit hacker discussion board, the place the menace actor marketed the RazvRAT malware.
In August 2019, after JSWORM shut down, the menace actor switched to selling Nemty on not less than two Russian-speaking underground boards.
In March 2020, Nefilim ransomware emerged as a brand new associates program with a knowledge leak website known as Company Leaks. The subsequent month, farnetwork introduced that Nemty would go non-public.
In June 2021, a seemingly rebrand of Nefilim known as Karma appeared, and in July 2021, Nefilim went silent. Throughout that point, farnetwork was searching for details about a zero-day vulnerability in Citrix VPN.
In February 2023, farnetwork pivoted to the RAMP discussion board saying they had been working with the Nokoyawa ransomware as a recruiter and entry supervisor.
Based mostly on Group-IB’s findings, farnetwork is suspected to have been concerned in growing or not less than within the evolution and administration of the talked about ransomware strains. The strongest ties are with Nefilim and Karma, each thought of evolutions of Nemty.
Group-IB managed to attach the totally different usernames to the identical menace actor, exhibiting that ransomware operations can come and go however behind them are seasoned people that preserve the enterprise going beneath new names.