Researchers turned the tables on a highly experienced cybercriminal, duping the hacker into revealing details of their five-year career as a pivotal figure in several ransomware operations.
While trying to infiltrate a private ransomware-as-a-service (RaaS) program by posing as aspiring affiliates, Group-IB researchers were put in contact with the threat actor, who they track as farnetwork.
During a “job interview” for the affiliate position, farnetwork told the researchers they had run the Nokoyawa RaaS affiliate program since 2022 and also operated a botnet used to provide affiliates with access to compromised corporate networks.
In a Nov. 8 blog post, Group-IB threat Intelligence analyst Nikolay Kichatov said from what farnetwork shared, and through further investigation, Group-IB was able to piece together the Russian-speaking threat actor’s background dating back to 2019.
Farnetwork's formidable resume
Since 2019, farnetwork (who has used the handles farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkit) was involved in several ransomware projects, including JSWORM, Karma, Nemty and Nefilim. Farnetwork helped develop ransomware and manage the RaaS programs for those projects before launching their own RaaS program based on Nokoyawa ransomware in 2022.
Nefilim is known to have ransomed more than 40 victims and Nokoyawa’s dedicated leaks site contained information about 35 victims.
“The threat actor mentioned specifically that they were not a Nokoyawa developer, and that affiliates were not allowed to attack medical and healthcare organizations,” Kichatov said in the blog post.
“During the chat, farnetwork also shared that they were currently targeting a victim from ‘China or Taiwan, compromised via its Columbian [sic] branch’ and were about to start negotiations.”
Farnetwork said the RaaS project they managed in 2019 — believed by Group-IB to be Nemty — received ransom payments of $1 million on average per victim initially, falling to about $600,000 later in his tenure.
How the RaaS divides ransomware profits among affiliates
Farnetwork told Group-IB Nokoyawa’s ransomware affiliates who carry out a successful attack received 65% of the ransom amount, with 20% going to the botnet owner and 15% to the developer.
In other RaaS gangs, affiliates typically receive up to 85% of the ransom but in farnetwork’s program, affiliates did not need to compromise networks themselves. Instead, they were given access to compromised networks by farnetwork.
“As a result, affiliates only need to escalate privileges, extract sensitive data, and encrypt targeted networks, which explains why the distribution of profits is different from the industry average,” Kichatov said.
Farnetwork told Group-IB that over time, the percentage of the ransomware take allocated to Nokoyawa affiliates increased, along with the increase in the average ransom demand. The threat actor said the share apportioned to the ransomware owner could eventually decrease to 10%.
An unlikely departure
In June this year, farnetwork announced on the dark web they would stop recruiting for affiliates and said they intended to retire from the ransomware business. Nokoyawa’s dedicated leak site (DLS) stopped operating last month.
“Despite farnetwork’s retirement announcement and the closure of Nokoyawa DLS, which is the actor’s latest known project, the Group-IB Threat Intelligence team doesn’t believe that the threat actor will call it quits,” Kichatov said.
“As it happened several times in the past, we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork. We will keep monitoring the threat actor’s activity and will provide updates as they become available.”
