Skip to content
Ransomware group

NoEscape

NoEscape is a financially motivated ransomware-as-a-service (RaaS) operation first observed in May 2023 and assessed in the provided reporting as likely a rebrand or spin-off of Avaddon.

Profile source: Mallory opens in a new tab

NoEscape

Family profile

NoEscape is a financially motivated ransomware-as-a-service (RaaS) operation first observed in May 2023 and assessed in the provided reporting as likely a rebrand or spin-off of Avaddon. It supports Windows and Linux payloads and conducts double- or multi-extortion, combining file encryption with data theft and publication on a TOR-based leak site; reporting also states the operation offered additional DDoS/spam and call-center extortion options. Multiple sources note an apparent anti-CIS targeting pattern.

Observed intrusion vectors in the provided content include exploitation of public-facing Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), webshell deployment on Exchange, purchase of previously compromised access from initial access brokers, use of valid accounts, RDP for lateral movement, TeamViewer access, and RDP-over-SSH tunneling via Plink. In one case, attackers used the NPPSPY technique by registering a malicious network provider DLL to capture cleartext Exchange authentication credentials, then moved laterally with domain admin privileges. Data exfiltration was observed via MegaSync to Mega cloud storage.

The malware and operator tradecraft described in the content includes anti-debugging checks, language checks to avoid CIS-language systems, mutex creation derived from the machine GUID, host discovery and collection of system metadata, and stealthy command execution through COM and WMI. NoEscape attempts to disable UAC by modifying EnableLUA and ConsentPromptBehaviorAdmin, copies itself into APPDATA\\Roaming, and establishes persistence through a scheduled task named SystemUpdate with daily and logon triggers. It uses Restart Manager APIs to identify and terminate processes locking files, stops services and kills processes that may interfere with encryption, deletes shadow copies and backups using vssadmin, wbadmin, wmic SHADOWCOPY DELETE, and bcdedit commands, and clears Windows event logs including via wevtutil loops.

The encryption workflow described in the content uses a two-part configuration protected with RC4 keys and Base64 decoding, with configuration elements including public keys, ransom notes, file size limits, wallpaper/note settings, avoided paths/files, locker keys, and file extensions. The malware uses Windows CryptoAPI functions such as CryptAcquireContextW, CryptImportKey, CryptGenKey, CryptExportKey, and CryptEncrypt, and uses an RSA public key from configuration to protect generated encryption keys. Collected host metadata is stored in JSON, encrypted with AES-CBC, and appended to the ransom note. The ransom note is named HOW_TO_RECOVER_FILES.txt and directs victims to a TOR site using a unique Personal ID.

Victimology in the supplied material indicates NoEscape claimed 123 victims between June and December 2023, with the United States accounting for 26% of affected entities in one cited dataset. Manufacturing, education, and construction were identified as the most affected sectors. Specific incidents referenced include a June 2023 claim against the University of Hawaii, where NoEscape said it stole 65GB of sensitive data, and an October 2023 attack referenced in reporting on the Order of Psychologists of the Lombardy Region. The content also notes that Iranian actors were observed by the FBI partnering with affiliates of NoEscape and other ransomware operations and taking a percentage of ransom payments. One report also states Mikhail Matveev was an affiliate of NoEscape.

Indicators explicitly mentioned in the content include SHA-256 hashes 68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8 and 8FAF3B4047CD810CA30A6D7174542DC1E1270AD63662AE2F53D222A8A9113AF8, the Plink tunneling endpoint 172.93.181[.]238, and Mega-related IP 66.203.125[.]14.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
NoEscape

“This post will delve into a recent incident response engagement… involving the Ransomware-as-a-Service known as NoEscape.”

Exploited software

Vulnerabilities linked to NoEscape

3 CVEs

MITRE ATT&CK

NoEscape in ATT&CK

1 distinct techniques

Reporting

Research mentioning NoEscape

May 7
The Record Media

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.

Apr 17
Comparitech

Inside RAMP: What a leaked database reveals about Russia's ransomware marketplace - Comparitech

We identified 14 distinct RaaS programs: ... NoEscape (May 2023) ...

Mar 4
Hackread

Ransomware Breach at University of Hawaii Cancer Center Affects 1.2M People

In June 2023, the NoEscape ransomware group claimed a breach at the university and said it stole 65GB of sensitive data.

Feb 24
The Record Media

North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East | The Record from Recorded Future News

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations ...

Jan 1
Sophos Threat Research

Unpicking LockBit - 22 Cases of Affiliate Tradecraft | SOPHOS

In late 2023, LockBitSupp also encouraged affiliates of the ALPHV (also known as BlackCat) and NoEscape RaaS schemes to use the LockBit leak site to post their victims' names and continue the extortion process.

Jun 1
Data Breaches

Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack

Read more about the ransomware attack by NoEscape in October 2023, the entity’s claims, and investigative results, as well as the required disciplinary measures at PressKit.it.

Nov 30
The Hacker News

Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested

Besides working as an affiliate for Conti, LockBit, Hive, Trigona, and NoEscape ransomware groups, he is said to have had a management-level role with the Babuk ransomware group up until early 2022.

May 10
Farghlymal Github

Unveiling NoEscape Ransomware: A Deep Dive into Its Tactics and Defenses - Aziz Farghly

NoEscape ransomware emerged in May 2023 as a financially motivated ransomware group that operates RaaS (Ransomware-as-a-Service).

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.