Russian Threat Actor “farnetwork” Linked With 5 Ransomware Strains

In March 2023, the cybersecurity landscape witnessed a significant revelation as Group-IB’s Threat Intelligence team delved into the clandestine world of farnetwork, an elusive threat actor linked to five notorious ransomware strains. 

Farnetwork, also known as farnetworkl, jingo, jsworm, razvrat, and piparkuka, emerged as a prominent player in the Ransomware-as-a-Service (RaaS) market, orchestrating complex operations and managing a private RaaS program based on the Nokoyawa ransomware strain.

How Group-IB Cracked the Case

The investigation began when Group-IB researchers attempted to infiltrate a private RaaS program utilizing the Nokoyawa ransomware strain. 

What ensued was a series of revelations, shedding light on farnetwork’s extensive criminal career, dating back to 2019. 

The threat actor’s involvement in various ransomware projects, including JSWORM, Karma, Nemty, and Nefilim, showcased their expertise in developing ransomware and managing RaaS programs.

How Farnetwork Operated Their RaaS Program

Farnetwork’s modus operandi was further dissected, revealing their intricate RaaS affiliate program. 

Affiliates in this program were granted access to compromised corporate networks, eliminating the need for network compromise and streamlining the ransomware attacks. 

Farnetwork’s revenue distribution model for successful attacks offered affiliates 65% of the ransom, while the botnet owner received 20%, and the ransomware owner took 15%.

However, farnetwork’s activities weren’t confined to just one strain of ransomware. 

The threat actor’s involvement in the Nokoyawa ransomware project, a derivative of Karma ransomware, exhibited their adaptability and innovation within the cybercriminal landscape. 

Farnetwork’s interactions with other ransomware groups, such as Hive, hinted at a complex web of connections within the criminal underworld.

What Happened to Farnetwork and How to Protect Against Ransomware

Despite farnetwork’s announcement of retirement and the subsequent cessation of their Nokoyawa Dedicated Leak Site (DLS) operations, Group-IB’s Threat Intelligence team remains vigilant. 

The team anticipates farnetwork’s potential return under a new guise, continuing their nefarious activities in the ever-evolving realm of cybercrime.

In light of these revelations, cybersecurity experts and enthusiasts are urged to remain proactive. 

Implementing multi-factor authentication, enhancing endpoint security, conducting regular data backups, and prioritizing patch management are recommended to safeguard against ransomware threats. 

Additionally, raising awareness among employees about cybersecurity risks and avoiding ransom payments are crucial steps in mitigating the impact of these attacks.

As the cybersecurity landscape evolves, Group-IB’s ongoing commitment to combating cybercrime ensures that organizations are informed, protected, and equipped to navigate the challenges posed by threat actors like farnetwork.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.