Ransomware Mastermind Uncovered After Oversharing on Dark WebRansomware Mastermind Uncovered After Oversharing on Dark Web
Meet "farnetwork," one of the most prolific RaaS operators around, who spilled too many details during an affiliate "job interview."
November 8, 2023
When researchers responded to an ad to join up with a ransomware-as-a-service (RaaS) operation, they wound up in a cybercriminal job interview with one of the most active threat actors in the affiliate business, who turns out to be behind at least five different strains of ransomware.
Meet "farnetwork," who was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be a potential affiliate for the Nokoyawa ransomware group. The cybercriminal is also known by aliases including jingo, jsworm, razvrat, piparuka, and farnetworkit, the team learned.
After the undercover researcher was able to demonstrate they could execute privilege escalation, use ransomware to encrypt files, and ultimately demand cash for an encryption key, farnetwork was ready to talk details.
During the course of their correspondence, the Group-IB researcher learned farnetwork already had a foothold into various enterprise networks, and just needed someone to take the next step — i.e., to deploy the ransomware, and collect money. The deal would work like this, Group IB's team learned: the Nokoyawa affiliate would get 65% of the extortion money, the botnet owner gets 20%, and the ransomware owner gets 15%.
But Nokayawa was just the latest ransomware operation farnetwork was running, Group-IB explained in its latest report. The threat actor ultimately gave over enough details for the team to trace farnetwork's ransomware activities as far back as 2019.
Farnetwork bragged to the researchers about past operations with Nefilim and Karma ransomware, as well as being on the receiving end of ransomware payments as high as $1 million. The crook also mentioned past work with Hive and Nemty.
That was enough information for the Group-IB team to piece together a prolific ransomware resume in farnetwork's past.
From 2019 to 2021, Group-IB said farnetwork was behind ransomware strains JSWORM, Karma, Nemty, and Nefilim. Nefilim's RaaS program alone accounted for more than 40 victims, the report added.
By 2022, farnetwork found a home with the Nokoyawa operation, and by last February, was actively recruiting affiliates to the program.
"Based on the timeline of their operations, it is fair to assume that farnetwork has been one of the most active players in the RaaS market," the report said.
Nokoyawa has since shuttered its RaaS operation, and farnetwork announced imminent retirement, but Group-IB researchers suspect the serial ransomware operator will pop up again soon with another strain.
"Despite farnetwork's retirement announcement and the closure of Nokoyawa DLS, which is the actor's latest known project, the Group-IB Threat Intelligence team doesn't believe that the threat actor will call it quits," Group-IB's report said. "As it happened several times in the past, we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks