Researchers responded to an ad to join up with a RaaS operation and ended up in a cybercriminal job interview with one of the most active threat actors in the affiliate business. This person “farnetwork” is behind at least five different strains of ransomware. The criminal was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be an affiliate for the Nokoyawa ransomware group.

During their correspondence, the researcher learned farnetwork already had a foothold in various enterprise networks and just needed someone to take the next step. If the researcher deployed the ransomware and collected the money, the Nokoyawa affiliate would get 65% of the extortion money, the botnet owner would get 20%, and the ransomware owner would receive 15%. Nokoyawa was just the latest ransomware operation farnetwork was running. The researcher received enough details through its correspondence with the threat actor to tie them to ransomware activities as far back as 2019.

Read More: Ransomware Mastermind Uncovered After Oversharing on Dark Web