“This post will delve into a recent incident response engagement… involving the Ransomware-as-a-Service known as NoEscape.”
NoEscape
NoEscape is a financially motivated ransomware-as-a-service (RaaS) operation first observed in May 2023 and assessed in the provided reporting as likely a rebrand or spin-off of Avaddon.
Profile source: Mallory opens in a new tabNoEscape
Family profile
NoEscape is a financially motivated ransomware-as-a-service (RaaS) operation first observed in May 2023 and assessed in the provided reporting as likely a rebrand or spin-off of Avaddon. It supports Windows and Linux payloads and conducts double- or multi-extortion, combining file encryption with data theft and publication on a TOR-based leak site; reporting also states the operation offered additional DDoS/spam and call-center extortion options. Multiple sources note an apparent anti-CIS targeting pattern.
Observed intrusion vectors in the provided content include exploitation of public-facing Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), webshell deployment on Exchange, purchase of previously compromised access from initial access brokers, use of valid accounts, RDP for lateral movement, TeamViewer access, and RDP-over-SSH tunneling via Plink. In one case, attackers used the NPPSPY technique by registering a malicious network provider DLL to capture cleartext Exchange authentication credentials, then moved laterally with domain admin privileges. Data exfiltration was observed via MegaSync to Mega cloud storage.
The malware and operator tradecraft described in the content includes anti-debugging checks, language checks to avoid CIS-language systems, mutex creation derived from the machine GUID, host discovery and collection of system metadata, and stealthy command execution through COM and WMI. NoEscape attempts to disable UAC by modifying EnableLUA and ConsentPromptBehaviorAdmin, copies itself into APPDATA\\Roaming, and establishes persistence through a scheduled task named SystemUpdate with daily and logon triggers. It uses Restart Manager APIs to identify and terminate processes locking files, stops services and kills processes that may interfere with encryption, deletes shadow copies and backups using vssadmin, wbadmin, wmic SHADOWCOPY DELETE, and bcdedit commands, and clears Windows event logs including via wevtutil loops.
The encryption workflow described in the content uses a two-part configuration protected with RC4 keys and Base64 decoding, with configuration elements including public keys, ransom notes, file size limits, wallpaper/note settings, avoided paths/files, locker keys, and file extensions. The malware uses Windows CryptoAPI functions such as CryptAcquireContextW, CryptImportKey, CryptGenKey, CryptExportKey, and CryptEncrypt, and uses an RSA public key from configuration to protect generated encryption keys. Collected host metadata is stored in JSON, encrypted with AES-CBC, and appended to the ransom note. The ransom note is named HOW_TO_RECOVER_FILES.txt and directs victims to a TOR site using a unique Personal ID.
Victimology in the supplied material indicates NoEscape claimed 123 victims between June and December 2023, with the United States accounting for 26% of affected entities in one cited dataset. Manufacturing, education, and construction were identified as the most affected sectors. Specific incidents referenced include a June 2023 claim against the University of Hawaii, where NoEscape said it stole 65GB of sensitive data, and an October 2023 attack referenced in reporting on the Order of Psychologists of the Lombardy Region. The content also notes that Iranian actors were observed by the FBI partnering with affiliates of NoEscape and other ransomware operations and taking a percentage of ransom payments. One report also states Mikhail Matveev was an affiliate of NoEscape.
Indicators explicitly mentioned in the content include SHA-256 hashes 68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8 and 8FAF3B4047CD810CA30A6D7174542DC1E1270AD63662AE2F53D222A8A9113AF8, the Plink tunneling endpoint 172.93.181[.]238, and Mega-related IP 66.203.125[.]14.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingExploited software
Vulnerabilities linked to NoEscape
3 CVEsMITRE ATT&CK
NoEscape in ATT&CK
1 distinct techniquesTechniques
1 techniqueReporting
Research mentioning NoEscape
Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News
The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.
Inside RAMP: What a leaked database reveals about Russia's ransomware marketplace - Comparitech
We identified 14 distinct RaaS programs: ... NoEscape (May 2023) ...
Ransomware Breach at University of Hawaii Cancer Center Affects 1.2M People
In June 2023, the NoEscape ransomware group claimed a breach at the university and said it stole 65GB of sensitive data.
North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East | The Record from Recorded Future News
The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations ...
Unpicking LockBit - 22 Cases of Affiliate Tradecraft | SOPHOS
In late 2023, LockBitSupp also encouraged affiliates of the ALPHV (also known as BlackCat) and NoEscape RaaS schemes to use the LockBit leak site to post their victims' names and continue the extortion process.
Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
Read more about the ransomware attack by NoEscape in October 2023, the entity’s claims, and investigative results, as well as the required disciplinary measures at PressKit.it.
Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested
Besides working as an affiliate for Conti, LockBit, Hive, Trigona, and NoEscape ransomware groups, he is said to have had a management-level role with the Babuk ransomware group up until early 2022.
Unveiling NoEscape Ransomware: A Deep Dive into Its Tactics and Defenses - Aziz Farghly
NoEscape ransomware emerged in May 2023 as a financially motivated ransomware group that operates RaaS (Ransomware-as-a-Service).