The team of Threat Intelligence di Group-IB tried to infiltrate the private Nokoyawa Ransomware-as-a-Service program, here are the results.
During this process, Group-IB specialists were interviewed by Farnetwork, a criminal organization associated with five different (RaaS) programs over the past four years. Group-IB has shared its findings about the threat actor with the relevant law enforcement agencies.
Group-IBās Threat Intelligence team attempted to infiltrate a private Ransomware-as-a-Service (RaaS) program based on Nokoyawa and operated by Farnetwork, a threat actor known on several underground forums such as farnetworkl, jingo, jsworm, razvrat, piparkuka and farnetworkit. Farnetwork began actively recruiting affiliates for its RaaS program in February 2023.
During the ājob interviewā, FarNetwork revealed a series of valuable details not only about Nokoyawabut over his entire career, allowing Group-IB researchers to trace the entire development of this prolific ransomware master mind, whose online presence on underground forums and activities conducted under various pseudonyms between 2019 and 2023.
Farnetwork was involved in several projects ransomware connected to each other, including JSWORM, Nephilim (a global ransomware operation with over 40 victims), Karma and Nemty. They helped develop ransomware and manage third-party RaaS programs before launching their own RaaS program based on the Nokoyawa ransomware (also used by ShadowSyndicate).
Key findings
Farnetwork actively advertised its search for new affiliates capable of working with access to compromised networks and promised to provide ā for testing purposes ā fully functional ransomware samples and support. Candidates who wanted to join the activities ransomware Of farnetwork they had to pass a test, for which FarNetwork made the credentials of compromised company accounts available.
Farnetwork also shared details about revenue sharing in its program RaaS. Specifically: an affiliate who successfully carries out a ransomware attack receives 65% of the ransom, the botnet owner 20%, and the ransomware developer 15%. While in other programs affiliates can usually keep up to 85% of the ransom, the peculiarity of Farnetwork is that they did not have to obtain access to compromised networks on their own. Instead they could acquire such access from Farnetwork, which apparently maintained its own botnet with access to several corporate networks.
In this regard, however, Group-IBās Threat Intelligence unit discovered that some of the credentials provided by Farnetwork had appeared for the first time inUnderground Cloud of Logs, a service that provides access to compromised confidential information, primarily obtained through information-stealing malware. The credentials provided by FarNetwork, in particular, had been compromised using the infamous RedLine info stealer, and had therefore not been obtained from an exclusive source like the mentioned botnet.
Furthermore, FarNetwork specifically stated both that it had not developed Nokoyawa and that affiliates were not allowed to attack medical and healthcare organizations. During the chat, FarNetwork also shared that its RaaS affiliate program had a DLS platform. Group-IB researchers have identified two DLSs linked to the Nokoyawa ransomware. One, operational in January 2023, contained information on only one victim and is no longer accessible today. The other DLS Nokoyawa, which appeared in May 2023, ceased operations in October 2023. At that point it contained data from 35 victims.
On June 19, 2023, FarNetwork announced that it would stop recruiting new affiliates, stating that it was withdrawing from the business. But is this really the end of FarNetwork?
Conclusions
Group-IBās investigations show FarNetwork to be an experienced and highly skilled threat actor. Their previous projects have claimed large numbers of victims and caused considerable financial damage to organizations. Farnetwork has become one of the most active players in the RaaS market. The threat actor was in fact involved in at least five Ransomware-as-a-Service programs in less than five years. Group-IB researchers also found evidence suggesting that the threat actor not only ran RaaS programs, but also developed ransomware on their own.
Despite the announcement of Farnetworkās retirement and the shutdown of Nokoyawa DLS, which is the actorās last known project, Group-IBās Threat Intelligence team does not believe the threat actor will stop. As has happened several times in the past, it is very likely that we will see new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetworks. Group-IBās Threat Intelligence team will continue to monitor threat actor activity and provide updates when they become available.
Recommendations
While ransomware groupsā preference for organizations operating in critical industries is known, they pose a threat to businesses in any industry. In addition to adding new members to its network, thefarnetwork affiliate program provides members with the latest tools and techniques, and even the ransomware itself. In light of this, it is essential that companies immediately take specific measures to protect their activities and critical data. Group-IB therefore recommends the following:
ā¢ Add multiple layers of security: Multi-factor authentication (MFA) and identification-based access solutions help companies protect their critical assets and high-risk users, making it more difficult for attackers to succeed. Additionally, data backup should be performed regularly as it reduces damage and helps organizations avoid data loss following ransomware attacks.
ā¢ Monitor vulnerabilities: The longer a vulnerability remains open, the greater the risk that it will be exploited by cybercriminals. Security patches should therefore be treated with priority. Organizations should also establish a process to regularly review and apply patches as they become available. In addition to this, we must not ignore new emerging vulnerabilities. An annual analysis of your infrastructure via technical audit or security level assessment is not only a good habit, but also brings a much-needed additional layer of protection. Infrastructure integrity and compliance with digital hygiene processes should be monitored continuously.
ā¢ Stop ransomware with early detection: Behavioral analytics from Endpoint Detection and Response (EDR) solutions allows companies to identify early indicators of ransomware on managed endpoints and promptly alert the cybersecurity team to potentially suspicious activity for further investigation. This proactive approach makes detection, analysis and remediation of known and unknown threats more agile.
ā¢ Train employees: Employees need to be educated about the risks associated with the organizationās network, assets, devices and infrastructure. The human factor remains one of the biggest vulnerabilities in cybersecurity. Organizations should conduct training programs and security exercises to help employees recognize and report incidents of cybercrime (e.g. phishing emails) at the first sign.
ā¢ Never pay the ransom: In 97% of ransomware attacks, it is impossible to recover access to the data without decryption software. However, Group-IB Incident Response experts advise against rushing to pay ransoms. Financially motivated threat actors seek to collect even larger sums from organizations. If one attacker also returns the data, another will become aware of the willingness to pay, leading to an increase in the number of attempted attacks on the same company. The best thing to do is to contact incident response experts as quickly as possible.
Organizations should use advanced AI-based analytics solutions to detect intrusions in real time. Group-IBās Managed security strategies. This allows you to equip yourself with cybersecurity at multiple levels (endpoint, email, web and network) through the detection and automated response to threats.