Upon NoEscape's release into the wild, the malware was capable of encrypting data on Windows and Linux machines, as well as on VMware ESXi servers.
Further, the threat actors behind the ransomware's development and deployment use the double extortion tactic to steal data before encryption, then use the stolen data as leverage to help secure a ransom payout for data decryption. Ransom demands range from hundreds of thousands of dollars to 10 million USD.
Like several other ransomware gangs, stolen data is threatened with public release, a fundamental aspect of the double extortion tactic. The ransomware operators also have a leak site listing which corporations they have turned into victims.
At the time of writing, ten companies from different countries and industries had been listed, showing that NoEscape does not target specific countries or industries.
However, like many other ransomware strains, NoEscape operators do not target the old Soviet countries still within Russia's sphere of influence.If a company falls victim to NoEscape and is from one of these countries, a free decryptor and information on how they were breached are provided.
According to Bleeping Computer's analysis of a NoEscape sample, the publication received several important technical details about NoEscape was gleaned.
First, the malware will execute a series of commands that delete any Windows Shadow Volume Copies. Commands will also be used to delete Windows backup catalogs and to turn off Windows automatic repair.
Once those commands have been executed, the encryptor will begin to terminate an extensive list of processes, including those associated with security software, backup applications, and web and database servers.
To assist in this process, the encryptor utilizes the Windows Restart Manager API to close processes or shut down Windows services that may keep a file open and prevent encryption.
The encryptor will encrypt all files with the following extensions,
EXE, BAT, BIN, CMD, COM, CPL, DAT, DLL, DRV, HTA, INI, LNK, LOCK, LOG, MOD, MSC, MSI, MSP, PIF, PRF, RDP, SCR, SHS, SWP, SYS, THEME
Lawrence Abrams writing for Bleeping Computer, notes,
Files are encrypted using Salsa20, with the encryption key encrypted with a bundled RSA public key. Encrypted files will have a 10 character extension appended to the filename, which is unique for each victim…The encryptor will also configure a scheduled task named 'SystemUpdate' for persistence on the device and to launch the encryptor when logging into Windows…The ransomware will also change the Windows wallpaper to an image telling victims they can find instructions in the ransom notes named HOW_TO_RECOVER_FILES.txt.
The Avaddon Connection
Avaddon was initially discovered in June 2020. It was soon discovered that Avaddon had an interesting data leak process it proposed to victims.
According to Malwarebytes, victims were presented with the following options when experiencing firsthand the double extortion method:
- Leak warning: After gaining access to a victim's network, Avaddon actors leave a ransom note on the victim's network and post a "leak warning" to the Avaddon dark web leak website. The warning consists of screenshots from files and proof of access to the victim's network.
- Five percent leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking some of the stolen files. The Avaddon actors leak this data by uploading a small .zip file to Avaddon's dark web leak website.
- Full leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .zip files in the "Full dumps" section of the Avaddon dark web leak website.
A year later, both US and Australian authorities released a joint advisory warning the public about Avaddon and its threats. Interestingly Avaddon, soon after the release of the advisory, decided to call it a day.
Those behind the ransomware suddenly shut down its operation and shared victims' decryption keys with BleepingComputer. From this point, Avaddon's activity effectively dropped off a cliff.
Then along came NoEscape; as security researchers have pointed out NoEscape's encryptor is almost identical, with only one notable change in encryption algorithms.
Previously, the Avaddon encryptor utilized AES for file encryption, with NoEscape switching to the Salsa20 algorithm. Further, both use the same configuration file and directives.
While it is possible that NoEscape operators bought the source code from those behind Avaddon, several prominent researchers believe that some of the core Avaddon members are now part of the new ransomware operation.
Links between two ransomware gangs can be important for uncovering facts behind operations; for those falling victim to NoEscape, these links may seem trivial, and the current reality is those tasked with defending networks have yet another threat to worry about.