In late March 2023, the user “farnetworkl” wrote a post on RAMP (an underground forum) to recruit people for their ransomware-as-a-service (RaaS) business. RAMP is an exclusive, predominantly Russian-speaking forum that requires a $500 deposit or an invitation from a moderator in order to gain access. After the post was published, we got in touch with the hacker undercover and learned about their past and present activity. The conversation provided us with a treasure trove of discoveries.
Background
Farnetwork has been active since 2019, mainly managing but also developing ransomware. They speak Russian and are known by many usernames, including farnetworkl, farnetworkit, jsworm, jingo, piparkuka, and razvrat (means “perversion” in Russian, a wordplay on the abbreviation RAT, remote access Trojan).
In a private conversation with Group-IB Threat Intelligence researchers, farnetwork said they had been involved in Nefilim and Karma ransomware and managed a RaaS program that received payments of $1 million at first and $600,000 later on (on average per victim). Farnetwork did not mention the name of the program, but we believe it was Nemty. Based on the timeline of farnetwork’s activity, it is fair to assume that they have been among the most active players in the RaaS market.
In addition to Nokoyawa, Nefilim and Karma, farnetwork was involved in JSWORM and Nemty RaaS programs, as well as RazvRAT malware (a remote access Trojan). A detailed track record of the threat actor can be found in our newly published blog post.
Latest activity
Farnetwork told us that they were currently managing a RaaS program based on Nokoyawa ransomware (mentioning that they did not develop Nokoyawa) and described the working conditions as follows: a ransomware affiliate who carries out a successful attack receives 65% of the ransom, the botnet owner receives 20%, and the ransomware developer receives 15%. Farnetwork said that they were open to discussing a raise in the share of profits for trusted affiliates who have been involved in the RaaS program for some time. Attacking healthcare organizations is not allowed.
In other programs affiliates usually receive up to 85%, but what’s distinct in the case of farnetwork is that affiliates do not need to compromise networks themselves. Instead they acquire access to compromised networks from farnetwork, who told us that they had their own botnet with access to several corporate networks.
Farnetwork said they were currently targeting a victim from “China or Taiwan, compromised via its Columbian branch” and were about to start negotiations. They also said that the RaaS program had a dedicated leak site (DLS, a website where threat actors post data about their victims). We found two Nokoyama DLSs, one was operational in January 2023 and only had information about one victim; the other appeared in May 2023, was updated regularly, and had information about 35 victims before shutting down in October 2023.
The candidates wanting to join farnetwork’s ransomware business must pass a test, for which farnetwork provides logins and passwords for compromised corporate accounts. Successful candidates must encrypt the victim’s files and demand payment for decryption.
On June 19, 2023, farnetwork announced that they would stop recruiting for their team and declared their intentions to retire from the business. Despite this announcement and the closure of the Nokoyawa DLS, Group-IB believes that we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork.
What to do
Ransomware actors abound and are a threat to organizations across all industries. Here is what companies can do to mitigate this threat:
- Add more layers of security, such as multi-factor authentication and credential-based access solutions.
- Use threat detection and malware detonation capabilities. Group-IB offers both. Learn more about Group-IB’s Managed XDR coupled with Threat Intelligence.
- Back up data regularly.
- Install vulnerability patches promptly.
- Train employees to identify and report signs of cybercrime (like phishing emails). The human factor is among the biggest vulnerabilities in cybersecurity.
- Conduct security assessments of the company’s infrastructure.
- Never pay the ransom. Cybercriminals are financially motivated and driven to make companies pay more. Even if one attacker returns the data, another will find out about the company’s willingness to pay, which will lead to more attacks against it. The best thing to do is to contact incident response experts as quickly as possible.
If you would like to know more about farnetwork, please see our blog post with many more details about the threat actor’s activity.
Stay cybersafe, everyone!
