October 2, 2023

Novel ransomware group NoEscape, which has begun double extortion attacks against enterprise targets last month, has been suspected to be a rebrand of the Avaddon operation that was dismantled by U.S. and Australian law enforcement authorities two years ago.

In June 2021, the Avaddon ransomware group announced closing its operations by releasing decryption keys for nearly 3,000 victims. This voluntary shutdown was considered a good sign following the relentless crackdown taken by law enforcement agencies.


Both NoEscape and Avaddon have leveraged nearly identical encryptors, except for encryption algorithms.  The Avaddon ransomware used the AES algorithm, NoEscape switched to Salsa20 for file encryption. It was found that NoEscape borrows the configuration file and directives used by Avaddon.

As part of attacks, the NoEscape ransomware steals data and encrypts files on Windows, Linux, and VMWare ESXi servers.  Upon execution, NoEscape runs a set of commands to delete Windows Shadow Volume Copies and local Windows backup catalogs. 

It turns off Windows automatic repair and terminates processes associated with security software and backup applications before initiating the encryption process.  

It encrypts files with specific extensions such as .accdb, .edb, .mdb, .mdf, .mds, .ndf, and .sql. A 10-character extension, which is unique for each victim, is appended to the encrypted files and a ransom note is dropped that instructs the victims on how to recover their files. 

If the case is that NoEscape may have purchased the source code of the encryptor from Avaddon, researchers claim to be cognizant of the fact that some of the key Avaddon members are now part of the new ransomware operation.


Ten organizations have already been extorted or had their data leaked by the new ransomware operation, which looks to compromise corporate networks and obtain Windows domain admin credentials to facilitate network-wide ransomware delivery.

NoEscape was noted to demand ransoms exceeding $10 million for the stolen data.

TTP Details

Tactics Techniques & Sub-Techniques MITRE ATT&CK® ID
Execution TA0002
 User ExecutionT1204
 System ServicesT1569
Persistence TA0003
 Boot or Logon Autostart ExecutionT1547
Defense Evasion TA0005
 Impair DefensesT1562
 Impair Defenses: Safe Mode BootT1562.009
 Indicator RemovalT1070
Lateral Movement T0008
 Remote Services: SMB/Windows Admin SharesT1021.002
Impact TA0040
 Inhibit System RecoveryT1490
 Data Encrypted for ImpactT1486
 Service Stop Service StopT1489
 Network Denial of ServiceT1498

Leave a Reply

%d bloggers like this: