Savina Rizova is global head of research at Dimensional Fund Advisors.
Barbara Roper is senior adviser to the chair at the Securities and Exchange Commission.
Joanna Rotenberg is president of personal investing at Fidelity Investments
Claudia Sahm is founder of Sahm Consulting.
The operator of the Nokoyawa ransomware-as-a-service (RaaS), a threat actor known as 'farnetwork', built experience over the years by helping the JSWORM, Nefilim, Karma, and Nemty affiliate programs with malware development and operation management.
A report from cybersecurity company Group-IB provides insight into farnetwork's activity and how they gradually built their profile as a highly active player in the ransomware business.
In interactions with threat intelligence analysts, farnetwork shared valuable details that link them to ransomware operations starting 2019 and a botnet with access to multiple corporate networks.
According to a report Group-IB shared with BleepingComputer, the threat actor has several usernames (e.g. farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand) and has been active on multiple Russian-speaking hacker forums trying to recruit affiliates for various ransomware operations.
In March, though, farnetwork started looking for affiliates for their ransomware-as-a-service program based on the Nokoyawa locker. However, Group-IB's threat intelligence analysts say that the actor made it clear that they were not involved in the development of Nokoyawa.
Running the RaaS business didn't last very long as farnetwork announced recently that they would retire from the scene and in October they shut down the Nokoyawa RaaS program, after leaking data of 35 victims.
However, Group-IB believes that this move is part of the threat actor's strategy to lose their tracks and start afresh under a new brand
In Nokoyawa ransomware, farnetwork acted as a project leader, affiliate recruiter, promoter of the RaaS on darknet forums, and botnet manager.
The botnet enabled affiliates direct access to already compromised networks. For this perk, they would pay the botnet owner 20% from the collected ransom and the ransomware owner would get 15%.
A 65% cut for the ransomware affiliate may seem like a bad deal, considering that other programs pay up to 85% of the ransom, but the cost covered the effort of finding a suitable target and breaching it.
Farnetwork tested affiliate candidates by providing them with several corporate account credentials sourced from the Underground Cloud of Logs (UCL) service, which sells logs stolen by info-stealers such as RedLine, Vidar, and Raccoon.
The affiliates were expected to escalate their privileges on the network, steal files, run the encryptor, and demand a ransom payment.
Group-IB has been able to track farnetwork’s activities as far back as January 2019 and found connections to the JSWORM, Nemty, Nefilim, and Karma ransomware strains.
In April 2019, farnetwork promoted the JSWORM RaaS program on the Exploit hacker forum, where the threat actor advertised the RazvRAT malware.
In August 2019, after JSWORM shut down, the threat actor switched to promoting Nemty on at least two Russian-speaking underground forums.
In March 2020, Nefilim ransomware emerged as a new affiliate program with a data leak site called Corporate Leaks. The next month, farnetwork announced that Nemty would go private.
In June 2021, a likely rebrand of Nefilim called Karma appeared, and in July 2021, Nefilim went silent. During that time, farnetwork was seeking information about a zero-day vulnerability in Citrix VPN.
In February 2023, farnetwork pivoted to the RAMP forum saying they were working with the Nokoyawa ransomware as a recruiter and access manager.
Based on Group-IB’s findings, farnetwork is suspected to have been involved in developing or at least in the evolution and management of the mentioned ransomware strains. The strongest ties are with Nefilim and Karma, both considered evolutions of Nemty.
Group-IB managed to connect the different usernames to the same threat actor, showing that ransomware operations can come and go but behind them are seasoned individuals that keep the business going under new names.
Russian financial organization Sberbank states in a press release that two weeks ago it faced the most powerful distributed denial of service (DDoS) attack in recent history.
0
The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network.
0
OpenAI's AI-powered ChatGPT large language model-based chatbot is down because of a major ongoing outage that also took down the company's Application Programming Interface (API).
2
WhatsApp is rolling out a new privacy feature that helps Android and iOS users hide their location during calls by relaying the connection through WhatsApp servers.
0Adding to the unearned wins racked up by cops is this decision [PDF] from the Eleventh Circuit Appeals Court. According to the court, figuring out digital stuff is just too complicated. And if it can’t handle the nuances, it certainly can’t expect cops to follow the constitutional rules.
And who can blame it? The guidance it has comes from the Supreme Court, which has limited review of potential rights violations to cases directly on point. If no on-point precedent exists, the cops win and the Constitution loses, even if most people (including more than a few judges) can clearly see the rights violations.
It’s all about precedent. When there isn’t much of it, cops are free to violate constitutional protections until a court finally puts it foot down. But feet are rarely placed down because of the circular reasoning the Supreme Court says must be deployed in these cases. If there’s nothing on point, nothing gets established. And since no rights violations are being clearly established, the next rights violation gets a pass because… well, the court had to pass on generating precedent the last time around.
That’s how it goes and that’s how this went. Kevin McCall found himself on the losing end of a high-stakes poker game. Hoping to regain some of his losses, McCall allegedly used his cell phone to set up a robbery of the winners.
The investigators took “but on a phone” and ran with it. And they ran far past any notions of probable cause.
Because a cell phone was directly tied to the crime, no one disputes that there was probable cause to search that device. But the police went one step further. They secured a warrant to search an iCloud account that backed up the phone twelve hours before the poker game and robbery. The iCloud warrant permitted a search of almost all the account’s data with no time limitation. Based on evidence secured by that warrant, the government prosecuted and a jury convicted McCall of being a felon in possession of a firearm.
So… let’s take a look at this. Obviously, a phone was instrumental in the spur-of-the-moment robbery. But cops sought information that was at least 12 hours old before McCall allegedly arranged the at-gunpoint recovery of his gambling funds.
On top of that, no limits were placed on the search of the iCloud data that may have prevented investigators from utilizing anything not related to the crime they were investigating. Understandably, the stale content contained nothing investigators could use to prosecute McCall for the robbery. But, because the warrant wasn’t limited, investigators decided to prosecute McCall for a crime they weren’t even investigating: illegal possession of a firearm.
All else being equal, this should have been an easy dismissal of charges following an even easier suppression of this so-called “evidence.” Sure, it may have been evidence of some crime, but this wasn’t exactly plain view. Investigators didn’t see the illegal weapon because they happened upon it during the normal course of a robbery investigation. They saw it because they obtained (via a faulty warrant) an all-access pass to McCall’s iCloud account.
This subpar warrant was approved and Apple complied with it, sending back the latest backup of McCall’s iCloud data. That led to this:
Apple emailed the detective the iCloud backup data, which spanned about two-and-a-half months leading up to the robbery. Supervisor of the Digital Forensics Unit James KempVanEe then processed the data, discovering photographs and videos of McCall, a felon, holding a 9 millimeter semi-automatic pistol. The photographs dated back to the month before the robbery.
The gun could have been a replica or an altered Airsoft for all the detectives knew. It also could have been taken prior to McCall’s felony conviction, making it possibly a legal weapon. Those were all possibilities, no matter how remote. What these photographs definitively weren’t were evidence of his involvement with this robbery. So, the cops should have disregarded this irrelevant info. And the magistrate should have rejected the overly-broad warrant demanding information that could not have possibly been relevant to the criminal act under investigation.
Instead, that photo turned into federal charges and this suppression attempt, which has been rejected by the Eleventh Circuit because… well, tech is complicated and stuff.
Although Fourth Amendment standards are largely settled, their application to developing areas of technology is not. Like judges, law enforcement officers operating in good faith may struggle to apply existing standards to new circumstances. That is where the exclusionary rule’s good faith exception comes in. The government concedes that the iCloud warrant fell short in certain respects, but it argues that reasonable officers could have believed it to be valid. We agree that the warrant was not so deficient in probable cause, particularity, or otherwise that it would be unreasonable for an officer to rely on it in good faith.
lol
Imagine an iCloud account being a “new circumstance.” Cloud storage and personal data repositories are nearly as old as the internet itself. Apple’s iCloud has been around since 2011. How something 12 years old can be considered a “new circumstance” by judges or cops is beyond me. Just because it’s easier to investigate from a desk than applying shoe leather to concrete doesn’t mean the Fourth Amendment no longer applies.
McCall’s point — that an account last backed up 12 hours before an alleged crime — could not be reasonably expected to contain evidence of the crime committed 12 hours later is a much better point, no matter these supposed “newness” of 12-year-old technology. Even if everyone agrees it might be difficult for cops and courts to wrap their minds around storage options that have been in common use for more than a decade, surely we can all agree the rules of time and space have not been significantly altered over the last decade. Unless the cops truly believed the crime was pre-planned some time in advance (which they clearly did not believe), there was no justification for the search of cloud storage that contained no data created during the time the crime occurred or after it.
This is a blown call. But that’s the way cops like it. A storage option that made its debut in 2011 is still considered by an appellate court to be a novel invention worthy of years of future debate before cautiously establishing extremely narrow precedent. This is little more than a court talking itself out of upsetting the prosecutorial apple cart because doing so might mean future alleged criminals might expect their rights to be respected. It’s not only lazy, it’s cowardly. The world continues to advance. The nation’s courts, unfortunately, still insist on taking a wait-and-see approach to tech, as though every widely used content storage option is just another Pets.com.
Filed Under: 11th circuit, 4th amendment, icloud, kevin mccall, probable cause, warrant
