In June 2021, the Avaddon ransomware group announced closing its operations by releasing decryption keys for nearly 3,000 victims. This voluntary shutdown was considered a good sign following the relentless crackdown taken by law enforcement agencies. However, little did the agencies know that the group was up to something big.

Two years following the closure, researchers stumbled across a new ransomware strain named NoEscape, in June this year. Researchers are suggesting that it is the rebranded version of Avaddon and is targeting enterprises in double extortion attacks.

Overlaps in NoEscape and Avaddon

  • NoEscape ransomware’s encryptor is identical to the one used by Avaddon, with some notable changes. While the Avaddon ransomware used the AES algorithm, NoEscape switched to Salsa20 for file encryption.
  • It was found that NoEscape borrows the configuration file and directives used by Avaddon.
  • If the case is that NoEscape may have purchased the source code of the encryptor from Avaddon, researchers claim to be cognizant of the fact that some of the key Avaddon members are now part of the new ransomware operation.

More about NoEscape

As part of attacks, the NoEscape ransomware steals data and encrypts files on Windows, Linux, and VMWare ESXi servers. 
  • Since its inception, the ransomware group has listed 10 different companies on its data leak site, from different verticals.
  • The attackers threaten to publicly release victims’ files and data if the ransom is not paid like other double extortion operations.
  • The group demands a ransom ranging between hundreds of thousands of dollars to over $10 million.

Encryption details

  • Upon execution, NoEscape runs a set of commands to delete Windows Shadow Volume Copies and local Windows backup catalogs. 
  • It turns off Windows automatic repair and terminates processes associated with security software and backup applications before initiating the encryption process.  
  • It encrypts files with specific extensions such as .accdb, .edb, .mdb, .mdf, .mds, .ndf, and .sql. A 10-character extension, which is unique for each victim, is appended to the encrypted files and a ransom note is dropped that instructs the victims on how to recover their files. 

Conclusion

While researchers continue to track NoEscape’s growth, organizations are advised to follow cybersecurity best practices, such as implementing endpoint security solutions and keeping software updated. It’s advisable to follow the mitigation programs recently launched by the CISA that can help them spot and remediate vulnerabilities exploited in ransomware attacks.
Cyware Publisher

Publisher

Cyware