October 2, 2023

Researchers have uncovered a new ransomware actor called NoEscape Ransomware-as-a-Service.

Active since May 2023, it actively sought affiliates to join it. The most peculiar standout about this Raas is it claim of being a C++-based ransomware developed entirely in-house, without relying on third-party resources or source codes. This enables the operators and affiliates to unprecedented control over their malicious activities.

The ransomware used in the NoEscape RaaS employs a combination of ChaCha20 and RSA encryption algorithms. This hybrid approach, often utilized by sophisticated ransomware groups, ensures the encryption of files and the protection of encryption keys.


The ransomware encrypts all ChaCha20 keys with a global ChaCha20 key, which is then encrypted with an RSA-2048 public key. It uses shared encryption that enables the use of a single key to encrypt the data instead of using unique keys to each file.

The RaaS campaign supports Windows Safe Mode, allowing the ransomware to turn off endpoint security products and encrypt files by rebooting compromised systems through which it achieves maximum success.

It utilizes asynchronous LAN scanning to identify Distributed File System (DFS) and Server Message Block (SMB) protocols. This enables lateral movement, persistence, and evasion, making it harder for security solutions to detect and mitigate the ransomware’s activities.


The ransomware employed is compatible with a wide range of systems, including Windows Desktop XP – 11, Windows Server 2003 – 2022, Linux distributions (Ubuntu and Debian-based), and VMware ESXi. It offers configurable mode settings, such as Ignore, Fast, Strong, and Balanced, allowing operators to customize the encryption process.

The administrator’s panel, hosted on Tor, offers automated functionalities. Affiliates can create private chats for secret communication with victims, generate builds with different settings and one key, build their chat support, and access 24/7 support for queries.

NoEscape ransomware infiltrates a network, it spreads laterally, encrypting data and demanding ransom for its release. If the ransom is not paid, the operators may sell the stolen data or publish it in public blogs and online forums. This triple-extortion technique adds extra pressure on victims to comply with the attackers’ demands.


The ransomware operators offer an additional service for DDoS at a price of USD 500,000. This service provides cybercriminals with another method to threaten and coerce targeted companies into paying the demanded ransom.

The exact origin remains undisclosed. But, the operators prohibit affiliates from targeting entities in the Commonwealth of Independent States (CIS) countries, hinting at a possible connection to Russia or the CIS.

Affiliates receive 80% of the profit if the payout equals or exceeds USD 1 million, 85% for a payout equal to or exceeding USD 3 million, and 90% for payouts exceeding USD 3 million.

The robust technical capabilities, triple-extortion methodology, and attractive profit-sharing model make it appealing to cybercriminals seeking to maximize their illicit gains.


These sophisticated emergence underscores the need for enhanced cybersecurity measures to protect organizations and individuals from falling victim to these malicious activities.

This research was documented by researchers from Cyble Research and Intelligence Lab

Leave a Reply

%d bloggers like this: