Ransomware Mastermind Uncovered After Oversharing on Dark Web

  /     /     /  
Publicated : 23/11/2024   Category : security


Ransomware Mastermind Uncovered After Oversharing on Dark Web


Meet farnetwork, one of the most prolific RaaS operators around, who spilled too many details during an affiliate job interview.



When researchers responded to an ad to join up with a ransomware-as-a-service (RaaS) operation, they wound up in a cybercriminal job interview with one of the most active threat actors in the affiliate business, who turns out to be behind at least five different strains of ransomware.
Meet farnetwork, who was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be a potential affiliate for the
Nokoyawa ransomware
group. The cybercriminal is also known by aliases including jingo, jsworm, razvrat, piparuka, and farnetworkit, the team learned.
After the undercover researcher was able to demonstrate they could execute privilege escalation, use ransomware to encrypt files, and ultimately demand cash for an encryption key,
farnetwork
was ready to talk details.
During the course of their correspondence, the Group-IB researcher learned farnetwork already had a foothold into various enterprise networks, and just needed someone to take the next step — i.e., to deploy the ransomware, and collect money. The deal would work like this, Group IBs team learned: the Nokoyawa affiliate would get 65% of the extortion money, the botnet owner gets 20%, and the ransomware owner gets 15%.
But Nokayawa was just the latest ransomware operation farnetwork was running, Group-IB explained in its latest report. The threat actor ultimately gave over enough details for the team to trace farnetworks ransomware activities as far back as 2019.
Farnetwork bragged to the researchers about past operations with Nefilim and Karma ransomware, as well as being on the receiving end of ransomware payments as high as $1 million. The crook also mentioned past work with Hive and Nemty.
That was enough information for the Group-IB team to piece together a prolific ransomware resume in farnetworks past.
From 2019 to 2021, Group-IB said farnetwork was behind ransomware strains JSWORM, Karma,
Nemty
, and Nefilim. Nefilims RaaS program alone accounted for more than 40 victims, the report added.
By 2022, farnetwork found a home with the Nokoyawa operation, and by last February, was actively recruiting affiliates to the program.
Based on the timeline of their operations, it is fair to assume that farnetwork has been one of the most active players in the RaaS market, the report said.
Nokoyawa has since shuttered its
RaaS operation
, and farnetwork announced imminent retirement, but Group-IB researchers suspect the serial ransomware operator will pop up again soon with another strain.
Despite farnetworks retirement announcement and the closure of Nokoyawa DLS, which is the actors latest known project, the Group-IB Threat Intelligence team doesnt believe that the threat actor will call it quits, Group-IBs report said. As it happened several times in the past, we are highly likely to witness new ransomware affiliate programs and large-scale criminal operations orchestrated by farnetwork.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ransomware Mastermind Uncovered After Oversharing on Dark Web