Group-IB researchers are shedding light on the underground industry under the Farnetwork (or Nokoyawa) brand, which has been linked to five ransomware gangs.
An attacker specializing in RaaS has accumulated extensive experience over the years in the field of ransomware and has entered into a collaboration with JSWORM, Nefilim, Karma and Nemty on the development and operation of malware.
According to the report, the attacker used several names (for example, Farnetworkl, jingo, jsworm, razvrat, piparkuka, and Farnetworkitand) and is actively present on many Russian-language hacker sites where he searches for and engages operators in his business.
Group-IB researchers managed to reach Farnetwork back in January 2019.
In April 2019, the gang started promoting JSWORM RaaS on Exploit, where the attacker advertised RazvRAT malware.
Later in August 2019, after closing JSWORM, the attacker switched to promoting Nemty on at least two Russian-language forums.
In March 2020, Nefilim launched as a new partner program with a data leak site called Corporate Leaks. The following month, Farnetwork announced that Nemty would become a private company.
In June 2021, Nefilim was rebranded as Karma, and in July 2021, Nefilim went into oblivion. At this time, Farnetwork was actively searching for 0-day in Citrix VPN.
In February 2023, Farnetwork announced on RAMP its work with Nokoyawa, to the development of which the gang allegedly had no relation, but acted as a project manager, partner recruiter, RAAS promoter and botnet manager.
The botnet provided operators with direct access to compromised networks. For this opportunity, they paid the botnet owner 20% of the ransom received, and the program owner received 15%.
During recruitment, Farnetwork provided its operators with credits from corporate accounts, which, in turn, were purchased by them from Underground Cloud of Logs (UCL), which specializes in working with RedLine, Vidar and Raccoon infostillers.
However, the RaaS business model did not last long, and Farnetwork recently announced its departure from the scene and in October closed the Nokoyawa RaaS program immediately after data on 35 victims was leaked.
But researchers have a different opinion - this step is part of the strategy of an attacker who intends to resume work "under a new brand".
As Group-IB correctly pointed out, ransomware gangs may appear and disappear, but behind them are the same qualified and experienced specialists who develop their underground business under new names.
An attacker specializing in RaaS has accumulated extensive experience over the years in the field of ransomware and has entered into a collaboration with JSWORM, Nefilim, Karma and Nemty on the development and operation of malware.
According to the report, the attacker used several names (for example, Farnetworkl, jingo, jsworm, razvrat, piparkuka, and Farnetworkitand) and is actively present on many Russian-language hacker sites where he searches for and engages operators in his business.
Group-IB researchers managed to reach Farnetwork back in January 2019.
In April 2019, the gang started promoting JSWORM RaaS on Exploit, where the attacker advertised RazvRAT malware.
Later in August 2019, after closing JSWORM, the attacker switched to promoting Nemty on at least two Russian-language forums.
In March 2020, Nefilim launched as a new partner program with a data leak site called Corporate Leaks. The following month, Farnetwork announced that Nemty would become a private company.
In June 2021, Nefilim was rebranded as Karma, and in July 2021, Nefilim went into oblivion. At this time, Farnetwork was actively searching for 0-day in Citrix VPN.
In February 2023, Farnetwork announced on RAMP its work with Nokoyawa, to the development of which the gang allegedly had no relation, but acted as a project manager, partner recruiter, RAAS promoter and botnet manager.
The botnet provided operators with direct access to compromised networks. For this opportunity, they paid the botnet owner 20% of the ransom received, and the program owner received 15%.
During recruitment, Farnetwork provided its operators with credits from corporate accounts, which, in turn, were purchased by them from Underground Cloud of Logs (UCL), which specializes in working with RedLine, Vidar and Raccoon infostillers.
However, the RaaS business model did not last long, and Farnetwork recently announced its departure from the scene and in October closed the Nokoyawa RaaS program immediately after data on 35 victims was leaked.
But researchers have a different opinion - this step is part of the strategy of an attacker who intends to resume work "under a new brand".
As Group-IB correctly pointed out, ransomware gangs may appear and disappear, but behind them are the same qualified and experienced specialists who develop their underground business under new names.
