NoEscape Ransomware Dissection
Share this:
Novel ransomware group NoEscape, which has begun double extortion attacks against enterprise targets last month, has been suspected to be a rebrand of the Avaddon operation that was dismantled by U.S. and Australian law enforcement authorities two years ago.
In June 2021, the Avaddon ransomware group announced closing its operations by releasing decryption keys for nearly 3,000 victims. This voluntary shutdown was considered a good sign following the relentless crackdown taken by law enforcement agencies.
Both NoEscape and Avaddon have leveraged nearly identical encryptors, except for encryption algorithms. The Avaddon ransomware used the AES algorithm, NoEscape switched to Salsa20 for file encryption. It was found that NoEscape borrows the configuration file and directives used by Avaddon.
As part of attacks, the NoEscape ransomware steals data and encrypts files on Windows, Linux, and VMWare ESXi servers. Upon execution, NoEscape runs a set of commands to delete Windows Shadow Volume Copies and local Windows backup catalogs.
It turns off Windows automatic repair and terminates processes associated with security software and backup applications before initiating the encryption process.
It encrypts files with specific extensions such as .accdb, .edb, .mdb, .mdf, .mds, .ndf, and .sql. A 10-character extension, which is unique for each victim, is appended to the encrypted files and a ransom note is dropped that instructs the victims on how to recover their files.
If the case is that NoEscape may have purchased the source code of the encryptor from Avaddon, researchers claim to be cognizant of the fact that some of the key Avaddon members are now part of the new ransomware operation.
Ten organizations have already been extorted or had their data leaked by the new ransomware operation, which looks to compromise corporate networks and obtain Windows domain admin credentials to facilitate network-wide ransomware delivery.
NoEscape was noted to demand ransoms exceeding $10 million for the stolen data.
TTP Details
| Tactics | Techniques & Sub-Techniques | MITRE ATT&CK® ID |
| Execution | TA0002 | |
| User Execution | T1204 | |
| System Services | T1569 | |
| Persistence | TA0003 | |
| Boot or Logon Autostart Execution | T1547 | |
| Defense Evasion | TA0005 | |
| Impair Defenses | T1562 | |
| Impair Defenses: Safe Mode Boot | T1562.009 | |
| Indicator Removal | T1070 | |
| Lateral Movement | T0008 | |
| Remote Services: SMB/Windows Admin Shares | T1021.002 | |
| Impact | TA0040 | |
| Inhibit System Recovery | T1490 | |
| Data Encrypted for Impact | T1486 | |
| Service Stop Service Stop | T1489 | |
| Network Denial of Service | T1498 |
