November 8, 2023 at 04:37AM
The Nokoyawa ransomware-as-a-service (RaaS) operator, ‘farnetwork’, was involved in malware development and operation management for various affiliate programs. A cybersecurity company, Group-IB, reported their activities and revealed their connections to ransomware operations since 2019. Despite retiring the Nokoyawa RaaS program, it is believed that farnetwork will rebrand and continue their activities. They acted as a project leader, affiliate recruiter, and botnet manager, offering affiliates access to compromised networks. The affiliates had to escalate privileges, steal files, and demand ransoms. Group-IB discovered connections between farnetwork and JSWORM, Nemty, Nefilim, and Karma ransomware.
Key takeaways from the meeting notes:
1. The threat actor known as ‘farnetwork’ has built experience over the years by assisting various affiliate programs with malware development and operation management, including JSWORM, Nefilim, Karma, and Nemty.
2. A report from cybersecurity company Group-IB reveals that farnetwork is highly active in the ransomware business and has been involved in ransomware operations since 2019.
3. Farnetwork has multiple usernames and has been active on Russian-speaking hacker forums in an effort to recruit affiliates for ransomware operations.
4. Recently, farnetwork announced their retirement from the scene and shut down the Nokoyawa Ransomware-as-a-Service (RaaS) program, after leaking data of 35 victims. However, Group-IB believes this move is part of a strategy to start afresh under a new brand.
5. In the Nokoyawa ransomware operations, farnetwork acted as a project leader, affiliate recruiter, promoter of the RaaS on darknet forums, and botnet manager.
6. Affiliates of the Nokoyawa RaaS program had access to compromised networks and paid a portion of the collected ransom to the botnet owner and ransomware owner.
7. Farnetwork tested affiliate candidates by providing them with stolen corporate account credentials from services like the Underground Cloud of Logs (UCL) to carry out attacks.
8. Group-IB has tracked farnetwork’s activities since January 2019 and has found connections to JSWORM, Nemty, Nefilim, and Karma ransomware strains.
9. Farnetwork promoted various ransomware programs on hacker forums, including RazvRAT, Nemty, Nefilim, and Karma.
10. Farnetwork’s activities indicate involvement in the development or management of ransomware strains, particularly Nefilim and Karma.
11. The usernames used by farnetwork are interchangeable, suggesting that behind ransomware operations are seasoned individuals who continue the business under new names.
These are the key points from the meeting notes. Let me know if you need further information or clarification on any specific topic.