NoEscape ransomware, a fairly new threat actor, appeared in May 2023 and is suspected to be a rebrand of the now-defunct Avaddon ransomware group, which ceased operations in 2021. The developers claim to have created the malware entirely from scratch, distinguishing it from other ransomware groups.
In less than a year, NoEscape has become a remarkable Ransomware-as-a-Service (RaaS) group, using unique features and aggressive multi-extortion tactics. This report will dive into the group’s tactics and techniques, explore potential ties to Avaddon, and provide recommendations on how organizations can remain safe from this type of threat actor.
NoEscape is a sophisticated RaaS group, and their targets vary depending on the affiliate or the buyer. So far, they have been seen targeting the manufacturing, professional services, information, and healthcare industries. Interestingly, they don’t target Commonwealth of Independent States (CIS) or ex-Soviet Union republics. However, the group has been seen targeting the U.S. and several European countries at an alarming rate. The group uses multi-extortion tactics, especially triple extortion – increasing the impact of a successful attack.
This method refers to a three-pronged approach where data exfiltration and encryption is coupled with distributed denial-of-service (DDoS) attacks against the targets in an attempt to disrupt their business and force them into paying a ransom. The DDoS service is available for an added $500,000 fee, with the operators imposing conditions that forbid affiliates from hitting entities located in CIS countries. Additional mechanisms are in place to reduce the chances of this malware running on hosts which are detected to be in CIS countries.
Image 1: Target Industries
Source: HHS.gov
NoEscape encrypts data on both Windows and Linux machines, including VMware ESXi. Unlike other RaaS groups, NoEscape claims to be developed from scratch in C++. It offers affiliates customization options through an interface, allowing optimization for speed or thoroughness of encryption, prioritizing file paths, and selecting services to terminate before initiating encryption.
The ransomware employs RSA and ChaCha20 encryption algorithms, supports asynchronous LAN scanning, and demonstrates the capability to encrypt network file shares and local drives. An interesting feature is shared encryption, which allows for the use of a single encryption key across all infected files in a network, streamlining both the encryption and decryption processes.
The ransomware is compatible with Windows safe mode, offering a series of scripts for rebooting a victim's host in safe mode, where endpoint detection and response (EDR) products can be more easily disabled before initiating encryption.
NoEscape employs various MITRE ATT&CK techniques, including initial access through external remote services, execution via user execution and scheduled task/job, persistence through registry run keys/startup folder, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and command and control.
The ransom notes generated by NoEscape are titled "HOW_TO_RECOVER_FILES.TXT" and are placed in every folder housing encrypted files. Each encrypted file is marked with a distinct ten-character identifier as an extension. Noteworthy examples of observed extensions involve ".CCBDFHCHFD" and ".CBCJDHIHBB."
Image 2: Ransom Note
Source: SentinelOne
Ransom payments, demanded in cryptocurrency, vary based on the severity of the attack and the specific ransomware variant. Historical data shows that NoEscape ransom demands range from hundreds of thousands to over $10 million.
The RaaS group follows a profit-sharing model, where affiliates and operators split the ransom collected. When the ransom exceeds $3 million USD, there's a 90/10 split in favor of the affiliates. The split ratio changes for lower ransom amounts; for instance, a one-million-dollar payout results in an 80/20 split for the operator and affiliate, respectively.
Potential NoEscape affiliates are provided with a comprehensive management panel for overseeing and controlling their ransomware campaigns. This panel includes features like 'full automation' within the TOR network, automatic updates to the TOR-based leak blog, a private victim chat, and various communication channels.
Image 3: NoEscape Blog
Source: SentinelOne
The emergence of NoEscape shortly after the ending of the Russian group, Avaddon in 2021, coupled with striking similarities in encryption logic and file formats, suggests a potential rebranding. While Avaddon used AES for file encryption, NoEscape shifted to the Salsa20 algorithm, with the overall encryptors being practically identical. The cybersecurity community believes that some core members of the Avaddon operation might be part of the NoEscape group.
On September 2, 2023, the NoEscape ransomware group claimed to have successfully encrypted Mulkay Cardiology Consultants, a New Jersey-based medical practice. According to their leak site, the group stole 60GB of confidential patient data, including scans, doctor's conclusions, and other sensitive information.
DataBreaches attempted to verify the claim but found no issues with Mulkay's website. Interestingly, the listing on NoEscape's leak site for Mulkay later disappeared without explanation, raising questions about whether Mulkay paid the demanded ransom, negotiated, or faced other issues.
In June 2023, the University of Hawai'i suffered a ransomware attack on its Hawai'i Community College campus by NoEscape. Threatened with exposing 65GB of data, the university decided to pay the ransom to prevent data exposure. The payment was made to ensure the destruction of the illegally obtained information. The university collaborated with cybersecurity experts to address the situation with the goal of restoring its IT infrastructure. Following the payment of a ransom, the ransomware group removed the University of Hawai'i entry from their data leak site.
In October 2023, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about the NoEscape ransomware threat, particularly targeting the healthcare and public health (HPH) sector. H3 stated that the group refrains from allowing affiliates to attack entities in the former Soviet Union republics within the Commonwealth of Independent States (CIS). The government organization advised healthcare providers to implement standard protective measures against ransomware and leverage industry-specific resources to enhance their security practices.
In December 2023, it was reported that the LockBit ransomware operation is actively recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape groups. According to insiders, both NoEscape and BlackCat/ALPHV ransomware operations’ Tor sites unexpectedly became inaccessible, with affiliates alleging an exit scam by NoEscape operators, involving the theft of significant ransom payments and the shutdown of key operation elements.
The BlackCat/ALPHV ransomware operation also faced a 5-day disruption, claiming hardware failure by the ALPHV admin, although sources suggest a potential law enforcement connection. In response to the chaos, “LockBitSupp”, the manager of the LockBit operation, is actively recruiting affiliates from the troubled BlackCat and NoEscape groups.
The LockBit group sees the outages in BlackCat/ALPHV as a favorable development, and while it remains uncertain if affiliates have migrated, one victim from BlackCat/ALPHV has already surfaced on LockBit's data leak site. Given the current landscape, it is unclear if trust issues will lead to a potential rebranding or shift of affiliates to other operations in the near future.
Detecting NoEscape without advanced solutions will require a multi-layered approach. Take a look at some best practices organizations can implement:
MD5
SHA1
SHA256
202310121200_NoEscape Ransomware Analyst Note_TLPCLEAR (hhs.gov)
In-Depth Analysis of NoEscape Ransomware (hivepro.com)
One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant
LockBit ransomware now poaching BlackCat, NoEscape affiliates (bleepingcomputer.com)
Ransomware group claimed to have hit a New Jersey cardiology group. Did they? (databreaches.net)
Malware Analysis of NoEscape Ransomware | by Alameen Karim Merali | Medium
Dark Web Profile: NoEscape Ransomware (socradar.io)
Ransom paid for NoEscape attack on Hawai'i Community College | SC Media (scmagazine.com)
Hawai'i Community College pays ransomware gang to prevent data leak (bleepingcomputer.com)
Ransomware Roundup – NoEscape | FortiGuard Labs (fortinet.com)
Ransomware Roundup – NoEscape - AlienVault - Open Threat Exchange
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.