Ransomware criminal sabotages his own operation


After responding to an advertisement offering to become part of a ransomware-as-a-service (RaaS) operation, researchers found themselves in a cybercriminal job interview with one of the most active threat actors in the affiliate industry, who happens to be the source of at least five distinct ransomware outbreaks.

Introducing “farnetwork,” who lost his anonymity after providing too many details to an organization-IB threat researcher posing as a possible Nokoyawa ransomware organization affiliate. The researchers discovered that the cybercriminal also goes by the aliases jingo, jsworm, razvrat, piparuka, and farnetworkit.

Farnetwork was prepared to discuss specifics after the undercover researcher proved they could carry out ransomware-induced file encryption, conduct privilege escalation, and eventually demand money for an encryption key.

Through their correspondence, the Group-IB analyst discovered that farnetwork already had a presence in a number of enterprise networks and was only in need of someone to carry out the next step, which would be to install the ransomware and retrieve funds. Group IB’s team discovered that the terms of the agreement were as follows: the owner of the ransomware would receive 15%, the owner of the botnet would receive 20%, and the Nokoyawa affiliate would receive 65% of the extortion proceeds.

But as Group-IB clarified in its most recent report, Nokayawa was merely the most recent ransomware operation that farnetwork was carrying out. In the end, the threat actor provided the researchers with enough information to track farnetwork’s ransomware activity back to 2019.

In addition to boasting to the researchers about its previous experiences with the malware Nefilim and Karma, Farnetwork also revealed that it had received ransomware payments totaling up to $1 million. The rascal also alluded to prior collaborations with Nemty and Hive.

That was sufficient data for the Group-IB team to assemble a historical ransomware resume for farnetwork.

Group-IB claimed that farnetwork was responsible for the ransomware variants JSWORM, Karma, Nemty, and Nefilim between 2019 and 2021. The investigation also stated that more than 40 casualties were related to Nefilim’s RaaS program alone.

Farnetwork settled in with the Nokoyawa operation by 2022, and as of late February, it was aggressively seeking new affiliates for the initiative.

“Based on the timeline of their operations, it is fair to assume that farnetwork has been one of the most active players in the RaaS market,” said the research.

Since then, Nokoyawa has stopped operating RaaS, and farnetwork has declared that it would shortly retire; nonetheless, Group-IB researchers believe the operator of the ransomware may reappear soon with a different strain.

“Despite farnetwork’s retirement announcement and the closure of Nokoyawa DLS, which is the actor’s latest known project, the Group-IB Threat Intelligence team doesn’t believe that the threat actor will call it quits,” the study stated. “As it happened several times in the past, we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork.”