Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Nokayawa Group. Show all posts

From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind





A group of researchers responded to an ad offering the opportunity to join up with a RaaS operation and found themselves attending a cybercriminal job interview held by an organization that is one of the most active threat actors in the affiliate market today. At least five strains of ransomware have been created by the same individual known as "farnetwork". 

A Group-IB threat researcher posing as a member of the Nokoyawa ransomware group eventually became able to unmask the criminal after giving too many specifics to a Person-IB threat researcher pretending to be one of its affiliates.

Aside from being known by the alias of jingo, it has also been identified as jsworm and farnetwork, along with razvrat, piparuka, and piparuka. Upon learning that the undercover researcher had demonstrated they could not only escalate their privileges but also use ransomware to encrypt files and finally demand hard cash to get an encryption key, farnetwork was ready to reveal more details. 

The researcher at Group-IB, during his correspondence with the researcher from Farnetwork, discovered that Farnetwork already had a foothold in various enterprise networks, and was just looking for someone to help them take the next step - namely, deploying the ransomware and collect the money collected. 

There is a deal that would allow Group IB's team to make money by extorting money from victims and then giving 65% of the money to the Nokoyawa affiliate as well as 20% to the botnet owner and 15% to the ransomware owner. 

According to Group-IB's latest report, Nokayawa was only the latest ransomware operation farnetwork had been executing, and it was only the most recent of several, it explained. After a lengthy discussion with the threat actor, the team was able to assemble enough information about farnetwork's ransomware activities for the entire year of 2019. 

During their meeting with Farnetwork, the researchers were told that the company had been the recipient of ransomware payments totalling as much as $1 million in the past, as it has previously operated with Nefilim and Karma ransomware. 

There is also evidence that the crook has experience working with NEMTY and Hive. Group-IB has reported that it was behind JSWORM, Karma, Nemty, and Nefilim ransomware strains between 2019 and 2021 according to its Report on Ransomware Group. 

In addition, the report states that the RaaS program offered by Nefilim is responsible for over 40 victims alone. Farnetwork, which had been a part of the Nokoyawa operation since 2022, had found a new home with the company by last February and was actively recruiting affiliates for the program. 

In terms of the timeline of operations and the factors that have had an impact on this market, there is no doubt that farnetwork has made a significant contribution to the RDaaS market across the globe over the past couple of years. 

The RaaS operation at Nokoyawa has since been shuttered, and Farnetwork has announced it will retire soon. However, Group-IB researchers believe that he is going to appear again with another strain of ransomware shortly.