A Russian Threat Actor a Mastermind of Ransomware Influences 5 Strains
The infiltration of the Nokoyawa ransomware-as-a-service (RaaS) by researchers from Group-IB identified a key threat actor known as 'farnetwork' with ties to the development of multiple ransomware affiliate programs including JSWORM, Nefilim, Karma, and Nemty. Active since 2019, 'farnetwork' operates under multiple aliases in underground forums such as farnetworkl, jingo, jsworm, razvrat, piparkuka, farnetworkit. Group-IB researchers approached farnetwork in late March 2023, responding to a recruitment ad for the Nokoyawa RaaS program featured in Russian cybercrime forums. Candidates looking to join the program are tested, requiring a demonstration of their technical understanding in being able to escalate privileges, exfiltrate files, and carry out ransomware attacks.
This demonstration is necessary given a streamlined approach to attacks farnetwork facilitates for affiliates by "granting affiliates access to corporate networks of targeted companies. As a result, affiliates only need to escalate privileges, extract sensitive data, and encrypt targeted networks." Group-IB explains this streamlined approach yields a lower ransom payout to an affiliate of 65% as compared to other RaaS programs often offering affiliates a cut of up to 85%. It is discovered farnetwork gathered credentials from information-stealing malware such as RedLine, which is then distributed to affiliates for attacks. It's worth noting that 'farnetwork' imposes certain restrictions, notably prohibiting affiliates from targeting medical and healthcare facilities.
Examining 'farnetwork's activities and its ransomware management approach since January 2019, a pattern of launching and shutting down new programs emerges. Despite the recent announcement of Nokoyawa ransomware's shutdown, it's possible that this is merely a smokescreen to obscure the threat actor's actions and lay the groundwork for a new RaaS program. Currently, 'farnetwork' appears to be inactive on underground forums