In recent findings, cybersecurity experts have uncovered a significant player in the world of cyber threats, known as "farnetwork". This individual has been tied to five separate cyber attack programs within the last four years, showcasing a high level of proficiency in the field.
Singapore-based cybersecurity firm Group-IB embarked on an ambitious mission to gain insight into a secretive cyber attack program utilizing the Nokoyawa ransomware. Their approach involved a unique "job interview" process with the threat actor responsible for the program. This unconventional interaction provided Group-IB with invaluable information about the individual's background and their pivotal role within various cyber attack programs.
"Throughout the threat actor's cybercriminal career, which began in 2019, far network has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, cyber security intelligence said at Group-IB.
About half a year after successfully infiltrating the Qilin Ransomware-as-a-Service (RaaS) syndicate, the cybersecurity firm has shared comprehensive information on how affiliates are paid and the inner workings of the RaaS program.
Farnetwork is recognized by many names such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat, depending on the underground forum. Initially, Farnetwork promoted a remote access trojan named RazvRAT as a vendor.
In 2022, the person who speaks Russian and is involved in cyber activities, aside from concentrating on Nokoyawa, reportedly initiated their own botnet service. This service enables associates to gain entry to compromised business networks.
Since the start of this year, farnetwork has been actively recruiting individuals for the Nokoyawa Ransomware-as-a-Service (RaaS) program.
They task potential candidates with using stolen corporate account information to elevate their access privileges. These recruits are then directed to employ the ransomware to encrypt a victim's files and subsequently demand a ransom in exchange for the decryption key.
Information-stealing software logs, containing login details, are sourced from underground markets.
In certain scenarios, cyber threat actors utilize pre-made stealing tools like RedLine to gain initial access to their target devices. These tools are then distributed through tactics such as deceptive phishing emails and malicious advertising campaigns.
Under the Ransomware-as-a-Service (RaaS) model, affiliates get 65% of the ransom money, while the botnet owner gets 20%. Meanwhile, the ransomware developer initially gets 15% of the overall share, which may decrease to 10% in certain cases.
As of October 2023, Nokoyawa has officially halted its operations. However, Group-IB has pointed out a strong likelihood that farnetwork might reemerge, adopting a different identity and introducing a new Ransomware-as-a-Service (RaaS) program.