Security researchers have shared information on a prolific threat actor who has contributed to multiple ransomware-as-a-service (RaaS) programs over the past few years and is currently running another.
Group-IB claimed in a new report that “farnetwork” has been active since at least 2019 and also operates on underground sites as farnetworkl, jingo, jsworm, razvrat, piparkuka and farnetworkit.
Between 2019 and 2021, they were linked to the JSWorm, Karma, Nemty and Nefilim RaaS schemes. The report claimed the actor help develop ransomware and manage the affiliate programs.
In 2022, it’s believed that the individual set up their own RaaS program, “Nokoyawa,” which provides affiliates with readymade access to corporate networks via a botnet. In this model, the affiliate receives 65% of the ransom payment, the botnet owner receives 20% and the ransomware owner gets 15%, Group-IB said.
As of October 2023, there were 35 victims listed on the Nokoyawa leak site.
Read more on ransomware groups: Conti Group Spent $6m on Salaries, Tools and Services in a Year
“The ‘candidates’ wanting to join farnetwork’s RaaS program based on Nokoyawa must complete a test assignment. For the purposes of the test, farnetwork provides several compromised corporate account credentials (login + password) to facilitate privilege escalation within targeted networks,” Group-IB explained.
“Successful candidates must execute privileges and use the ransomware to encrypt the victim’s files, then demand payment for decryption.”
The reason the threat intelligence vendor knows all this is because it tried to infiltrate Nokoyawa as part of its information gathering on threat groups – by undertaking a ‘job interview’ and test with the malicious actor.
“In most cases, we would simply describe the inner workings of the RaaS program based on information received from the ‘recruiter,’ but this case was different,” Group-IB explained.
“The threat actor who conducted the ‘interview’ for a new ransomware affiliate program not only shared a trove of valuable information about their RaaS project but also provided insights into their background and their role within various RaaS programs.”