Recently published research by Group IB’s threat intelligence team uncovered a threat actor related to five ransomware strains. It gave researchers insider knowledge of ransomware-as-a-service (RaaS) operations.
Security researchers looked to infiltrate the RaaS network by applying to be an affiliate. This required the researchers to be interviewed as one would be for a job.
As it would turn out, the interviewer was a threat actor of some renown, with their own botnet infrastructure used for compromising high-profile victims, going by the following aliases farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit, who will be referred to as farnetwork for the remainder of this article.
Researchers summarized farnetwork history as follows,
Throughout the threat actor’s cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware (also used by ShadowSyndicate). On June 19, 2023, farnetwork announced that they would stop recruiting for their team and declared their intentions to retire from the business. Nokoyawa DLS ceased its operations in October 2023.
For researchers to gain access to the treasure trove of information held by farnetwork, researchers registered on RAMP, a ransomware-themed underground forum.
RAMP is an exclusive, predominantly Russian-speaking forum that requires a 500 USD deposit or a moderator invitation to gain access. It was hoped that these measures would prevent security researchers or law enforcement from gaining access to the forum.
On the forum, researchers noticed an ad posted by farnetworkl, who wanted to recruit affiliates for their own RaaS program. In the post, the threat actor said they were looking for affiliates able to work with access to compromised networks. Affiliates are promised access to fully functional ransomware samples and support for testing purposes.
It was via this approach the following information was given to researchers,
The threat actor stated that they were currently managing a RaaS affiliate program based on Nokoyawa ransomware. They described the working conditions in the Nokoyawa RaaS program as follows: a ransomware affiliate who carries out a successful attack receives 65% of the ransom amount, the botnet owner receives 20%, and the ransomware developer receives 15%. On average, in other groups, affiliates receive up to 85%. However, in this case, farnetwork is granting affiliates access to corporate networks of targeted companies. As a result, affiliates only need to escalate privileges, extract sensitive data, and encrypt targeted networks, which explains why the distribution of profits is different from the industry average.
Nokoyawa Ransomware in Brief
Farnetwork told researchers that they were not a developer behind Nokoyawa, the foundation of the ransomware that is to be used by affiliates. However, the ransomware still deserves a brief mention in this article.
The ransomware strain was first discovered in February 2022 and has seen a newer version written in Rust. The encryption module utilizes Elliptic Curve Cryptography (ECC) with SECT233R1 and Curve25519, and Salsa20 for file encryption and runtime flexibility via a command-line configuration parameter.
However, in October 2023, Nokoyawa creators decided to throw in the towel and ceased operations. According to their data leak site, in the period they were active, they had accrued some 35 victims.
Until this point, farnetwork has experience deploying both Nemty and Karma ransomware strains, and seeing that Nokoyawa was seen as an evolution, farnetwork’s involvement as an affiliate is expected.
It would seem that the ceasing of Nokoyawa operations may have taken this experienced and skilled threat actor by surprise, but they are not willing to throw in the towel.
Farnetwork has become one of the most active players of the RaaS market. The threat actor has been involved in five ransomware-as-a-service programs in less than five years. Group-IB researchers discovered evidence suggesting that the threat actor has not only been managing RaaS programs but also developed ransomware themselves…Despite farnetwork’s retirement announcement and the closure of Nokoyawa DLS, which is the actor’s latest known project, the Group-IB Threat Intelligence team doesn’t believe that the threat actor will call it quits. As it happened several times in the past, we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork. We will keep monitoring the threat actor’s activity and will provide updates as they become available.
One thing this publication has noticed in the years that have been defined by threat actors adopting the RaaS model is that the skilled affiliates will continue to operate despite the developers shutting shop.
Skilled affiliates are more than willing to switch to newer ransomware families as long as they get paid to do so. In this instance, an affiliate is willing to keep Nokoyawa alive despite the malware developer’s wishes.
This muddies the waters somewhat and makes it difficult to determine who exactly is responsible for an attack without a fair amount of research.