HPH Sector Warned About NoEscape Ransomware Attacks
In May 2023, a new ransomware-as-a-service (RaaS) group started conducting attacks and in the past 5 months has attacked several industry sectors, including healthcare. Many new ransomware groups develop their ransomware variants using leaked source code from other ransomware families; however, NoEscape claims to have developed its own ransomware code and associated infrastructure from scratch although the encryptors used by NoEscape are virtually identical to those used by the now-defunct Avaddon ransomware, which along with other similarities has led security researchers to believe that NoEscape is a rebrand of Avaddon ransomware, which ceased operations in June 2021.
The NoEscape RaaS group recruits affiliates to conduct attacks in exchange for a percentage of any ransoms they generate and provides ransomware to encrypt files. The ransomware is capable of deleting shadow copies and system backups and can force a reboot and operate in safe mode, where security solutions can be disabled more easily. NoEscape is used to encrypt files on Windows and Linux machines, as well as VMware ESXi, although only on the Windows NT 10.0 operating system. Affiliates are able to compile their executables based on whether they want to optimize for speed or the thoroughness of encryption, with several other options allowing for customized attacks. A single encryption key is used across all files on the network that are encrypted, which allows fast encryption and also rapid recovery if the ransom is paid. The main initial access vectors are email via infected email attachments, downloads from malicious websites, and ransomware delivery via other malware variants. The group is also thought to leverage external remote services and obtain and abuse the credentials of existing accounts.
Like most other ransomware groups, NoEscape ransomware attacks involve data theft and threats are issued to leak the stolen data if the ransom is not paid. The group releases stolen data on its data leak site when victims refuse to pay the ransom demand. In the known attacks to date, ransom demands have varied from hundreds of thousands of dollars to $10 million. In addition to file encryption and data theft, victims may also be subjected to Distributed Denial of Service attacks, and call and spam services, depending on whether the affiliate chooses to pay for those services. Like many ransomware operations, NoEscape ransomware cannot be used in attacks on organizations in the Commonwealth of Independent States (CIS) or ex-Soviet republics.
NoEscape ransomware attacks have mostly been concentrated on organzioations in professional services, manufacturing, and information; however, healthcare and public health sector organziations have also been attacked. In October 2023, the Health Sector Cybersecurity Coordination Center issued a NoEscape Ransomware Analyst Note and shared the MITRE ATT&CK techniques associated with the attacks and cybersecurity best practices for hardening defenses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
