Cybersecurity researchers have unmasked a prolific menace actor often known as farnetwork, who has been linked to 5 completely different ransomware-as-a-service (RaaS) applications over the previous 4 years in numerous capacities.
Singapore-headquartered Group-IB, which tried to infiltrate a personal RaaS program that makes use of the Nokoyawa ransomware pressure, mentioned it underwent a “job interview” course of with the menace actor, studying a number of worthwhile insights into their background and position inside these RaaS applications.
“All through the menace actor’s cybercriminal profession, which started in 2019, farnetwork has been concerned in a number of linked ransomware tasks, together with JSWORM, Nefilim, Karma, and Nemty, as a part of which they helped develop ransomware and handle the RaaS applications earlier than launching their very own RaaS program primarily based on Nokoyawa ransomware,” Nikolay Kichatov, menace intelligence analyst at Group-IB, mentioned.
The most recent disclosure comes almost six months after the cybersecurity firm penetrated the Qilin RaaS gang, uncovering particulars in regards to the associates’ cost construction and the inside workings of the RaaS program.
Farnetwork is understood to function below a number of aliases similar to farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat on completely different underground boards like RAMP, initially promoting a distant entry trojan known as known as RazvRAT as a vendor.
In 2022, moreover shifting focus to Nokoyawa, the Russian-speaking particular person is claimed to have launched their very own botnet service to offer associates with entry to compromised company networks.
Because the begin of the yr, farnetwork has been linked to recruitment efforts for the Nokoyawa RaaS program, asking potential candidates to facilitate privilege escalation utilizing stolen company account credentials and deploy the ransomware to encrypt a sufferer’s information, after which demand cost in return for the decryption key.
The credentials are sourced from data stealer logs bought on underground markets, the place in different menace actors get hold of preliminary entry to focus on endpoints by distributing off-the-shelf stealer malware like RedLine which can be, in flip, pushed via phishing and malvertising campaigns.
It is value noting that among the credentials supplied by farnetwork first appeared in Underground Clouds of Logs, a service that provides entry to compromised confidential data obtained via data stealers.
The RaaS mannequin permits associates to obtain 65% of the ransom quantity and the botnet proprietor to obtain 20%. The ransomware developer, however, receives 15% of the full share, a quantity that would drop additional all the way down to 10%.
“From the affiliate’s perspective, this introduces a novel strategy as they aren’t required to get preliminary entry to company networks themselves, they will leverage the entry that has already been supplied by the RaaS supervisor,” Group-IB’s Risk Intelligence crew instructed The Hacker Information.
“Whereas this decreases the proportion of the payout that an affiliate receives, it enhances ransomware operators’ effectivity and velocity. Farnetwork’s botnet is used to realize entry to company networks, successfully changing the position of preliminary entry brokers.”
Nokoyawa has since ceased its operations as of October 2023, though Group-IB mentioned there’s a excessive chance that farnetwork would resurface below a special identify and with a brand new RaaS program.
“Farnetwork is an skilled and extremely expert menace actor,” Kichatov mentioned, describing the menace actor as one of many “most energetic gamers of the RaaS market.”