HC3 warns of NoEscape ransomware group targeting healthcare sector, linked to defunct Avaddon group

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) unit published an analyst note covering NoEscape ransomware, a relatively new hacker and ransomware group to the cybercriminal community. The note provided an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, and recommended defense and mitigations against the ransomware. 

The note identified that the NoEscape ransomware emerged in May this year, but is believed to be a rebrand of Avaddon, a now-defunct ransomware group shut down in 2021. Also, using unique features and aggressive multi-extortion tactics, in just under a year, the group has targeted multiple industries, including across the healthcare and public health (HPH) sector. 

“Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch,” the HC3 wrote in a Thursday post. “Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group.”

Since NoEscape operates as a RaaS, its targets vary depending on the affiliate and the buyer. Its creators like many ransomware gangs, do not target the Commonwealth of Independent States (CIS) or ex-Soviet Union republics while disproportionately targeting the U.S. and several European countries as its preferred victims. 

HC3 identified that NoEscape may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary. “Empirical evidence suggests that NoEscape is a rebranding of the Avaddon ransomware gang. However, unlike Avaddon, it has yet to be determined if there is a free decrypter that organizations can use to recover files for free.” 

It added that until then unless certain detection and prevention methods are put in place, a successful exploitation by NoEscape ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data. “The value of HPH data, in particular, signals that the healthcare industry will remain a viable target.” 

The agency detailed that the service allows operators and affiliates to take advantage of multi-extortion tactics, including triple extortion methods to maximize the impact of a successful attack. “This method refers to a three-pronged approach where data exfiltration and encryption are coupled with distributed denial-of-service (DDoS) attacks against the targets in an attempt to disrupt their business and coerce them into paying a ransom. The DDoS service is available for an added $500,000 fee, with the operators imposing conditions that forbid affiliates from striking entities located in CIS countries,” it added. 

Additional mechanisms are in place to reduce the chances of this malware running on hosts that are detected to be in CIS countries, according to the HC3 note. “While examining NoEscape ransomware’s target sectors, it can be inferred that it mostly targets organizations operating in the Professional Services, Manufacturing, and Information industries. However, its indiscriminate targeting of the HPH sector is a worrisome sign that more organizations in this field could be targeted soon. Of the known attack victims, one cybersecurity company noted only two victims in the healthcare sector as having been targeted by NoEscape,” it added. 

In its most basic form, NoEscape ransomware is malicious software that encrypts files on a victim’s computer and demands a ransom in exchange for the decryption key. It typically infiltrates a system either as a file dropped by other malware or as a file unknowingly downloaded by users while visiting suspicious websites. It also distinguishes itself as a RaaS group, a type of ransomware that is offered as a service to other criminals who act as affiliates or customers.  

The HC3 identified that NoEscape ransomware is capable of encrypting data on Windows and Linux machines, as well as VMware ESXi. However, it can only execute on a Windows NT 10.0 operating system. The specific implementation and techniques may vary depending on the affiliate or customer using the RaaS. 

“NoEscape is written in C++ and claims to be written from scratch, without recycling code from previous malware samples or ransomware products,” the HC3 said. “This service has an interface which allows the customization of compiled executables, allowing operators to choose whether they want to optimize for speed or thoroughness of encryption, which file paths to prioritize or ignore, and which services to terminate before starting encryption.” 

The HC3 note also detailed that this ransomware variant is compatible with Windows safe mode – a series of scripts can be run to force a victim host to reboot in safe mode, where endpoint detection and response (EDR) products can be disabled more easily before running encryption routines. 

“As a RaaS tool, NoEscape also comes with other features in addition to the standard file encryption functions, including a Tor admin panel, private chat functions for secret communications, and distributed denial-of-service (DDoS), call, and spam services at extra cost (“Available from $500k”),” it added. 

The note identified that the NoEscape ransomware leaves a ransom note on the victim’s computer, which contains a message to the victim that their network has been hacked and infected by the NoEscape group. “The note serves as a communication channel through which the victims can follow the specified steps to engage with the ransomware developers. The ransom note also contains a “personal ID” required to log in to the threat actor’s Tor payment site and access the victim’s unique negotiation,” it added.

Additionally, “the ransom note usually contains a description of how to purchase the decryption tool from the ransomware developers. The victims are required to pay the ransom in cryptocurrency, and the ransom amount varies depending on the severity of the attack and the specific ransomware variant. In previous attacks, NoEscape ransomware demands ranged between hundreds of thousands of dollars to over $10 million.”

HC3 said that while NoEscape ransomware launched in May this year, it is believed to be a rebrand of Russian-speaking threat actor, Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. The Avaddon ransomware operation launched in June 2020 using phishing campaigns to target corporate victims. However, in June 2021, a month after the Federal Bureau of Investigation and Australian law enforcement released Avaddon advisories, the ransomware gang suddenly shut down its operation and shared victims’ decryption keys with a prominent cybersecurity company in an anonymous tip. 

The agency said that “any direct association of NoEscape ransomware to active Russian-speaking threat actors remains unknown. However, strong evidence of its shared framework with Avaddon and Avaddon’s affiliation with many former Russian-speaking threat actors shows a probable degree of affiliation.” 

Much like NoEscape, Avaddon had mandatory policies, to which their affiliates were prohibited from directing ransomware operations within CIS countries,” it added. 

The HC3 reminded healthcare and public health organizations that protecting against NoEscape Ransomware and mitigating the impact of a successful attack, include regular backups of critical data, which are then stored in a secure location, preferably offline, to prevent them from being targeted by ransomware. The agency also suggests updating software, exercising email caution as phishing emails are a common method used by ransomware to infiltrate systems, and using strong, unique passwords for all accounts and enabling multi-factor authentication wherever possible. 

It also recommends investing in reliable cybersecurity solutions that offer real-time protection against malware and ransomware threats; and regularly training and educating employees about the dangers of ransomware and how to recognize potential threats. Additionally, organizations must have a well-defined incident response plan in place; refrain from downloading files or software from untrusted sources or websites; and implement firewalls and other network security measures to monitor and control incoming and outgoing network traffic.

Earlier this month, the HC3 unit published a sector alert detailing the Progress Software WS_FTP critical vulnerabilities. Two of the vulnerabilities were rated as critical and are being tracked as CVE-2023-40044, which can allow an attacker to execute remote commands, and CVE-2023-4265, which is a directory traversal vulnerability. The agency ‘encourages patching and upgrading of these devices to prevent serious damage’ to the  HPH sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.