Cybersecurity Snapshots - NoEscape Ransomware

By aekwall 

A new Ransomware-as-a-Service (RaaS) group named NoEscape emerged in May 2023. Many researchers believe that the group is a rebrand of the Russian ransomware group Avaddon. Avaddon threat group disbanded in 2021. Security researchers at SOCRadar, after analyzing Avaddon and NoEscape, found that the ransomware encryptors they used showed a distinct similarity between them. Previously, the Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm. Otherwise, the encryptors are virtually identical, with the encryption logic and file formats almost identical, including a unique way of "chunking of the RSA encrypted blobs."

According to the US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3), the group's "indiscriminate targeting" of the healthcare and public health sector is a "worrisome sign" that more organizations in this field could be targeted soon. NoEscape has also targeted organizations in the professional services, manufacturing, and information industries.

According to the HHS HC3, when NoEscape infiltrates a network, the ransomware leaves a note on the victim's computer that states that their system has been infected by them. This note serves as a communication channel with specified steps to engage with the ransomware developers. The HHS HC3 noted that victims are required to pay the ransom in cryptocurrency, and the ransom amount varies depending on the severity of the attack and the specific ransomware variant, ranging from hundreds of thousands of dollars to over $10m. Researchers at SOCRadar noted that most of the victims were in North America, and victims were also located in Europe and Southeast Asia.

The researchers at SOCRadar found that the ransomware has features like process termination, safe-mode operation, spreading and encryption over SMB (Server Message Block) or DFS (Distributed File System), and the use of the Windows Restart Manager to bypass any processes that might block the encryption process. The researchers noted that the ransomware has a unique feature, shared encryption, which allows a single encryption key to be used across all infected files in a network, facilitating efficient encryption and quick decryption if the ransom is paid.

According to the HHS HC3, NoEscape uses multi-extortion tactics to maximize the impact of a successful attack. This includes an option where data exfiltration and encryption are coupled with DDoS attacks against targets. This tactic is available for an additional $500,000 fee to those using the RaaS.

The NoEscape ransomware gang is expected to have many more victims this year. To protect against the NoEscape ransomware, the HHS HC3 recommends organizations maintain regular backups of critical data and store these offline, keep all software up to date, implement strong email security controls and phishing awareness training, use strong passwords for all accounts, enable multi-factor authentication where possible, have a well-defined ransomware incident response plan in place to reduce the impact of an attack, and implement firewalls and other network security measures to monitor and control incoming and outgoing network traffic.

To see previous articles, please visit the Cybersecurity Snapshots Archive.