Farnetwork’s Ransomware-as-a-Service Business Model Exposed by Experts

    Cybersecurity researchers have identified a significant threat actor named farnetwork, associated with five different ransomware-as-a-service (RaaS) programs over the past four years. Group-IB, a Singapore-based company, attempted to infiltrate a private RaaS program employing the Nokoyawa ransomware strain, giving valuable insights into the background and role of the threat actor.

    According to Nikolay Kichatov, a threat intelligence analyst at Group-IB, farnetwork has developed ransomware and managed various RaaS programs, including JSWORM, Nefilim, Karma, and Nemty. Farnetwork subsequently launched its own RaaS program based on the Nokoyawa ransomware. Notably, farnetwork is known to operate under several aliases such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat on different underground forums like RAMP.

    In 2022, farnetwork shifted focus to the Nokoyawa ransomware and also launched their botnet service to provide affiliates with access to compromised corporate networks. Moreover, farnetwork has been involved in recruiting efforts for the Nokoyawa RaaS program, soliciting potential candidates to deploy ransomware using stolen corporate account credentials sourced from information stealer logs sold on underground markets.

    The RaaS model allows affiliates to receive 65% of the ransom amount, while the botnet owner and ransomware developer receive a percentage of the total share. It’s important to note that Nokoyawa ceased its operations as of October 2023; however, farnetwork is expected to resurface under a different name and with a new RaaS program.

    Kichatov described farnetwork as an experienced and highly skilled threat actor, and one of the most active players in the RaaS market.

    Latest articles

    Related articles