In a groundbreaking revelation, cybersecurity researchers have identified a major threat actor known as farnetwork, a key player linked to five distinct ransomware-as-a-service (RaaS) programs over the past four years.
Insights from a Unique “Job Interview” Process
Singapore-based Group-IB, in an attempt to infiltrate a private RaaS program utilizing the Nokoyawa ransomware strain, engaged in a distinctive “job interview” process with farnetwork. This unconventional approach provided valuable insights into the threat actor’s background and multifaceted role in the cybercriminal landscape.
Initiating their cybercriminal career in 2019, farnetwork has been involved in various connected ransomware projects, contributing to JSWORM, Nefilim, Karma, and Nemty. Notably, they played roles in developing ransomware and managing RaaS programs before venturing into their own RaaS program centered around the Nokoyawa ransomware.
The Many Faces of farnetwork RaaS
Operating under aliases such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat on underground forums, farnetwork initially gained attention by advertising a remote access trojan named RazvRAT as a vendor.
In 2022, farnetwork expanded their horizons by shifting focus to Nokoyawa and reportedly launching their own botnet service, providing affiliates with access to compromised corporate networks.
Recruitment Efforts and RaaS Model
Throughout the year, farnetwork has been actively linked to recruiting efforts for the Nokoyawa RaaS program. Potential candidates are sought to facilitate privilege escalation using stolen corporate credentials, deploy ransomware, and demand payment for decryption keys. The RaaS model allocates a 65% share to affiliates, 20% to the botnet owner, and 15% to the ransomware developer, potentially dropping to 10%.
While Nokoyawa ceased operations in October 2023, cybersecurity experts caution that there is a high probability of farnetwork resurfacing under a different name with a new RaaS program. Described as an experienced and highly skilled threat actor, farnetwork remains one of the most active players in the RaaS market, according to Nikolay Kichatov, a threat intelligence analyst at Group-IB.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: