Russian-speaking threat actor "farnetwork" linked to 5 ransomware gangs

The operator of the Nokoyawa ransomware-as-a-service (RaaS), a threat actor known as 'farnetwork', built experience over the years by helping the JSWORM, Nefilim, Karma, and Nemty affiliate programs with malware development and operation management.

A report from cybersecurity company Group-IB provides insight into farnetwork's activity and how they gradually built their profile as a highly active player in the ransomware business.

In interactions with threat intelligence analysts, farnetwork shared valuable details that link them to ransomware operations starting 2019 and a botnet with access to multiple corporate networks.

According to a report Group-IB shared with BleepingComputer, the threat actor has several usernames (e.g. farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand) and has been active on multiple Russian-speaking hacker forums trying to recruit affiliates for various ransomware operations.

Threat actor profile (Group-IB)

In March, though, farnetwork started looking for affiliates for their ransomware-as-a-service program based on the Nokoyawa locker. However, Group-IB's threat intelligence analysts say that the actor made it clear that they were not involved in the development of Nokoyawa.

Running the RaaS business didn't last very long as farnetwork announced recently that they would retire from the scene and in October they shut down the Nokoyawa RaaS program, after leaking data of 35 victims.

Nokoyawa published victims (Group-IB)

However, Group-IB believes that this move is part of the threat actor's strategy to lose their tracks and start afresh under a new brand

Operations manager

In Nokoyawa ransomware, farnetwork acted as a project leader, affiliate recruiter, promoter of the RaaS on darknet forums, and botnet manager.

The botnet enabled affiliates direct access to already compromised networks. For this perk, they would pay the botnet owner 20% from the collected ransom and the ransomware owner would get 15%.

A 65% cut for the ransomware affiliate may seem like a bad deal, considering that other programs pay up to 85% of the ransom, but the cost covered the effort of finding a suitable target and breaching it.

Farnetwork tested affiliate candidates by providing them with several corporate account credentials sourced from the Underground Cloud of Logs (UCL) service, which sells logs stolen by info-stealers such as RedLine, Vidar, and Raccoon.

The affiliates were expected to escalate their privileges on the network, steal files, run the encryptor, and demand a ransom payment.

Network access credentials panel (Group-IB)

Timeline of past activities

Group-IB has been able to track farnetwork’s activities as far back as January 2019 and found connections to the JSWORM, Nemty, Nefilim, and Karma ransomware strains.

In April 2019, farnetwork promoted the JSWORM RaaS program on the Exploit hacker forum, where the threat actor advertised the RazvRAT malware.

RazvRAT malware sale (Group-IB)

In August 2019, after JSWORM shut down, the threat actor switched to promoting Nemty on at least two Russian-speaking underground forums.

In March 2020, Nefilim ransomware emerged as a new affiliate program with a data leak site called Corporate Leaks. The next month, farnetwork announced that Nemty would go private.

Nefilim announced victims (Group-IB)

In June 2021, a likely rebrand of Nefilim called Karma appeared, and in July 2021, Nefilim went silent. During that time, farnetwork was seeking information about a zero-day vulnerability in Citrix VPN.

In February 2023, farnetwork pivoted to the RAMP forum saying they were working with the Nokoyawa ransomware as a recruiter and access manager.

Promoting RaaS on RAMP (Group-IB)

Based on Group-IB’s findings, farnetwork is suspected to have been involved in developing or at least in the evolution and management of the mentioned ransomware strains. The strongest ties are with Nefilim and Karma, both considered evolutions of Nemty.

Timeline of farnetwork's activities (Group-IB)

Group-IB managed to connect the different usernames to the same threat actor, showing that ransomware operations can come and go but behind them are seasoned individuals that keep the business going under new names.