When researchers responded to an advert to affix up with a ransomware-as-a-service (RaaS) operation, they wound up in a cybercriminal job interview with some of the energetic risk actors within the affiliate enterprise, who seems to be behind not less than 5 completely different strains of ransomware.
Meet “farnetwork,” who was unmasked after giving over too many specifics to a Group-IB risk researcher pretending to be a possible affiliate for the Nokoyawa ransomware group. The cybercriminal can be recognized by aliases together with jingo, jsworm, razvrat, piparuka, and farnetworkit, the crew realized.
After the undercover researcher was in a position to display they may execute privilege escalation, use ransomware to encrypt information, and in the end demand money for an encryption key, farnetwork was prepared to speak particulars.
Through the course of their correspondence, the Group-IB researcher realized farnetwork already had a foothold into varied enterprise networks, and simply wanted somebody to take the subsequent step — i.e., to deploy the ransomware, and accumulate cash. The deal would work like this, Group IB’s crew realized: the Nokoyawa affiliate would get 65% of the extortion cash, the botnet proprietor will get 20%, and the ransomware proprietor will get 15%.
However Nokayawa was simply the newest ransomware operation farnetwork was working, Group-IB defined in its newest report. The risk actor in the end gave over sufficient particulars for the crew to hint farnetwork’s ransomware actions way back to 2019.
Farnetwork bragged to the researchers about previous operations with Nefilim and Karma ransomware, in addition to being on the receiving finish of ransomware funds as excessive as $1 million. The criminal additionally talked about previous work with Hive and Nemty.
That was sufficient info for the Group-IB crew to piece collectively a prolific ransomware resume in farnetwork’s previous.
From 2019 to 2021, Group-IB mentioned farnetwork was behind ransomware strains JSWORM, Karma, Nemty, and Nefilim. Nefilim’s RaaS program alone accounted for greater than 40 victims, the report added.
By 2022, farnetwork discovered a house with the Nokoyawa operation, and by final February, was actively recruiting associates to this system.
“Based mostly on the timeline of their operations, it’s truthful to imagine that farnetwork has been some of the energetic gamers within the RaaS market,” the report mentioned.
Nokoyawa has since shuttered its RaaS operation, and farnetwork introduced imminent retirement, however Group-IB researchers suspect the serial ransomware operator will pop up once more quickly with one other pressure.
“Regardless of farnetwork’s retirement announcement and the closure of Nokoyawa DLS, which is the actor’s newest recognized mission, the Group-IB Risk Intelligence crew does not consider that the risk actor will name it quits,” Group-IB’s report mentioned. “Because it occurred a number of instances up to now, we’re extremely more likely to witness new ransomware affiliate packages and large-scale legal operations orchestrated by farnetwork.”