Experts Expose Farnetwork's Ransomware-as-a-Service Business Model
9.11.23 Ransom The Hacker News
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities.
Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the Nokoyawa ransomware strain, said it underwent a "job interview" process with the threat actor, learning several valuable insights into their background and role within those RaaS programs.
"Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB, said.
The latest disclosure comes nearly six months after the cybersecurity company penetrated the Qilin RaaS gang, uncovering details about the affiliates' payment structure and the inner workings of the RaaS program.
Farnetwork is known to operate under several aliases such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat on different underground forums like RAMP, initially advertising a remote access trojan called referred to as RazvRAT as a vendor.
In 2022, besides shifting focus to Nokoyawa, the Russian-speaking individual is said to have launched their own botnet service to provide affiliates with access to compromised corporate networks.
Since the start of the year, farnetwork has been linked to recruitment efforts for the Nokoyawa RaaS program, asking potential candidates to facilitate privilege escalation using stolen corporate account credentials and deploy the ransomware to encrypt a victim's files, and then demand payment in return for the decryption key.
The credentials are sourced from information stealer logs sold on underground markets, where in other threat actors obtain initial access to target endpoints by distributing off-the-shelf stealer malware like RedLine that are, in turn, pushed through phishing and malvertising campaigns.
It's worth noting that some of the credentials provided by farnetwork first appeared in Underground Clouds of Logs, a service that gives access to compromised confidential information obtained through information stealers.
The RaaS model allows affiliates to receive 65% of the ransom amount and the botnet owner to receive 20%. The ransomware developer, on the other hand, receives 15% of the total share, a number that could drop further down to 10%.
"From the affiliate's perspective, this introduces a novel approach as they are not required to get initial access to corporate networks themselves, they can leverage the access that has already been provided by the RaaS manager," Group-IB's Threat Intelligence team told The Hacker News.
"While this decreases the percentage of the payout that an affiliate receives, it enhances ransomware operators' efficiency and speed. Farnetwork's botnet is used to gain access to corporate networks, effectively replacing the role of initial access brokers."
Nokoyawa has since ceased its operations as of October 2023, although Group-IB said there is a high probability that farnetwork would resurface under a different name and with a new RaaS program.
"Farnetwork is an experienced and highly skilled threat actor," Kichatov said, describing the threat actor as one of the "most active players of the RaaS market."