NoEscape Ransomware is Believed to be a Rebrand of Avaddon Ransomware

The new NoEscape ransomware group is thought to be a rebrand of Avaddon, a ransomware group that shut down in 2021 and published its decryption keys. NoEscape first appeared in June 2023, when it began targeting companies with double-extortion attacks. Threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers as part of the attacks. The threat actors threaten to publicly release the stolen data if the ransom isn’t paid. The NoEscape ransomware demands range from thousands of dollars to more than $10 million. NoEscape, like other ransomware groups, doesn’t allow its members to target CIS (ex-Soviet Union) countries, with victims from countries receiving free decryptors and information and how their systems were compromised. The new NoEscape ransomware group has listed ten companies from various countries and industries on its data leak site, indicating they’re not targeting a specific sector.

New NoEscape Ransomware Group Appeared

The Avaddon ransomware operation began in June 2020, targeting companies’ victims with phishing attacks. However, a month after the FBI and Australian law enforcement issued Avaddon advisories, the ransomware group abruptly ceased operations and supplied victims’ decryption keys in an anonymous tip. There hasn’t been any known ransomware or extortion activity related to threat actors since then, until last month, when the NoEscape ransomware operation was launched. An ID-Ransomware developer and ransomware expert explained that the ransomware encryptors of NoEscape and Avaddon are nearly identical, with only one noteworthy difference in encryption algorithms. The Avaddon encryptor previously used AES for file encryption, but the NoEscape ransomware has switched to the Salsa20 algorithm.

The encryptors are nearly identical, with almost identical encryption logic and file formats, including a unique method of chucking the RSA encrypted blobs. Additionally, it was discovered that the Avaddon and NoEscape ransomware encryptors use the same configuration file and directives as disclosed in a report. Even though it’s possible that the NoEscape threat actors purchased the encryptor’s source code from Avaddon, multiple experts have believed that some key Avaddon members are part of the new ransomware operation.

A NoEscape ransomware sample was analyzed. When NoEscape is executed, it will remove Windows Shadow Volume Copies and local Windows backup catalogs and turn off Windows automatic repair. The encryptor will terminate programs linked with security software, backup applications, and web and database servers. Additionally, it will disable the following Windows services: database, QuickBooks, security software, and virtual machine platforms. The ransomware kills the applications to unlock files that have been opened but aren’t encrypted. Even if a file is locked, the encryptor uses the Windows Restart Manager API to kill processes or shut down Windows services that may keep a file open and prevent encryption. The encryptor will bypass all files with the following file extensions when encrypting them: “exe, bat, bin, cmd, com, cpl, dat, dll, drv, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme.” The ransomware will skip files in folders with the following strings in their names: “$recycle.bin, $windows.~bt, $windows.~ws, %PROGRAMFILES(x86)%, %PUBLIC%, %ProgramData%, %SYSTEMDRIVE%\Program Files, %SYSTEMDRIVE%\Users\All Users, %SYSTEMDRIVE%\Windows, %TMP%, %USERPROFILE%\AppData, AppData, %AppData%, EFI, Intel, MSOCache, Mozilla, Program Files, ProgramData, Tor Browser, Windows, WINDOWS, boot, google, perflogs, system volume information, windows.old.”

The encryptor can be programmed to employ three modes during encryption:

• Full – Encrypts the entire file
• Partial – Encrypts only the first X megabytes
• Chunked – Encrypts data chucks using intermittent encryption

The NoEscape ransomware, conversely, contains a configuration option that compels the encryptor to fully encrypt files with the extensions accdb, edb, mdb, mdf, mds, ndf, and sql. Salsa20 is used to encrypt files, and the encryption key is encrypted with a packaged RSA private key. Encrypted files will have a 10-character extension applied to the filename, which is unique to each victim. The encryptor will set up a scheduled job called “SystemUpdate” for device persistence and to launch the encryptor when connecting to Windows. Additionally, the ransomware will change the Windows wallpaper to an image informing victims about the instructions in the ransom notes called “HOW_TO_RECOVER_FILES.txt.” The ransom notes are in each device folder and contain information on what happened to victims’ files and links to the NoEscape Tor negotiation site.

The ransom notes state that they’re not interested in private affairs and they’re only interested in money. The /etc/motd/ is also replaced with ransom notes displayed on victims’ Linux computers when they log in. A ”personal ID” is contained in the ransom notes, which is required to log in to the threat actor’s Tor payment site and access the victims’ unique negotiation page. The page contains the ransom amount in bitcoins, a test decryption feature, and a chat panel to negotiate with the threat actors. After paying the ransom, victims will be given a list of available decryptors for Windows XP, modern Windows versions, and Linux. The NoEscape ransomware provides a shell script for companies’ victims running VMware ESXi that can be used to restore the /etc/motd and decrypt files using Linux decryptor.

NoEscape, like other ransomware attacks, will infiltrate companies’ networks and propagate laterally to other devices. The ransomware will be distributed throughout the networks once threat actors have obtained Windows domain admin credentials. However, before encrypting the files, threat actors have stolen companies’ data to use as leverage in extortion attempts. The threat actors inform victims that their data will be publicly exposed or sold to other threat actors if the ransom isn’t paid. The NoEscape ransomware has either published the data or started extorting ten victims through their data leak site, with the size of the leaked data ranging from 3.7 GB for one company to 111 GB for another.

With new ransomware groups emerging as new or rebranded ransomware, it’s always important for companies to remain vigilant of the latest threat landscape and regularly update data network security infrastructures. At SpearTip, our pre-breach advisory services will allow our certified engineers to examine companies’ security posture to improve weak points in their networks. We engage with their people, processes, and technology to measure the maturity of the technical environments. We provide technical roadmaps for all vulnerabilities uncovered, ensuring companies have the awareness and support to optimize their cybersecurity posture. Our engineers are working continuously at our 24/7/365 Security Operations Center, monitoring companies’ networks for potential ransomware threats, and are ready to respond to incidents at a moment’s notice. Our ShadowSpear Platform, an integrable managed detection and response tool, exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.