Farnetwork [1] [2] [3] [4] [5] [6] [7] [8], a highly skilled and experienced threat actor, has been involved in multiple ransomware-as-a-service (RaaS) programs over the past four years [1] [5] [6] [7]. This article provides a detailed description of their activities and highlights potential future implications.
Description
Farnetwork has operated under various aliases on different underground forums and has been linked to ransomware projects such as JSWORM [6], Nefilim [1] [2] [3] [4] [5] [6] [7] [8], Karma [1] [2] [3] [4] [5] [6] [7] [8], and Nemty [1] [5] [6] [7] [8]. In 2022 [4] [6], they launched their own RaaS program called Nokoyawa [1] [4] [5] [6] [7], which was based on the Nokoyawa ransomware [1] [5] [6] [7]. Additionally, Farnetwork provided a botnet service to affiliates [6], granting them access to compromised corporate networks [1] [5] [7]. They actively recruit individuals who can facilitate privilege escalation using stolen corporate account credentials [1] [5] [7], deploy the ransomware [1] [2] [5] [6] [7] [8], and demand ransoms [6].
Under the RaaS model adopted by Farnetwork [6], affiliates receive 65% of the ransom amount [1] [4] [7], while the botnet owner receives 20% and the ransomware developer receives 15% [1] [7] [8]. Farnetwork’s operations are further complicated by their use of unique command and control servers for each GootBot sample they deploy [6].
Although Nokoyawa ceased its operations in October 2023 [6], there is a possibility that Farnetwork may resurface under a new identity and launch a new RaaS program in the future.
Conclusion
The activities of Farnetwork have had significant impacts on organizations targeted by their ransomware attacks. It is crucial for businesses to implement robust cybersecurity measures to mitigate the risk of falling victim to such threats. Additionally, law enforcement agencies and cybersecurity professionals must remain vigilant and collaborate to track and apprehend threat actors like Farnetwork. The possibility of Farnetwork resurfacing under a new identity highlights the need for ongoing efforts to combat ransomware-as-a-service programs and protect against future attacks.
References
[1] https://www.443news.com/2023/11/experts-expose-farnetworks-ransomware-as-a-service-business-model/
[2] https://ciso2ciso.com/russian-speaking-threat-actor-farnetwork-linked-to-5-ransomware-gangs-source-www-bleepingcomputer-com/
[3] https://www.darkreading.com/threat-intelligence/ransomware-mastermind-uncovered-oversharing-dark-web
[4] https://www.infosecurity-magazine.com/news/threat-actor-farnetwork-five/
[5] https://thehackernews.com/2023/11/experts-expose-farnetworks-ransomware.html
[6] https://cybermaterial.com/unveiling-farnetworks-ransomware-role/
[7] https://www.redpacketsecurity.com/experts-expose-farnetwork-s-ransomware-as-a-service-business-model/
[8] https://cyber.vumetric.com/security-news/2023/11/08/experts-expose-farnetwork-s-ransomware-as-a-service-business-model/
