NoEscape Ransomware emerged in 2023 as a RaaS, closely tying to Avaddon through similar encryption and deployment tactics, while expanding to Windows and Linux payloads and leveraging a TOR-based platform for victim disclosure. It combines multi-extortion with a potential rebranding of Avaddon, targeting multiple sectors and maintaining a public victim list to pressure payment. #NoEscapeRansomware #Avaddon
Keypoints
- NoEscape operates as a RaaS platform, allowing affiliates to create and manage payloads for Windows and Linux.
- It uses multi-extortion tactics and publicly lists victims on a TOR blog to coerce payment.
- The report suggests NoEscape is a rebranding or continuation of Avaddon, sharing similar encryption logic and configurations.
-
MITRE Techniques
- [T1133] External Remote Services – NoEscape RaaS uses external remote services to gain initial access. ‘External Remote Services (T1133)’
- [T1078] Valid Accounts – The attack chain includes use of valid accounts for access/persistence. ‘Valid Accounts (T1078)’
- [T1204.002] User Execution – Execution likely involves user interaction or confirmation steps. ‘User Execution (T1204.002)’
- [T1053.005] Scheduled Task/Job – Use of scheduled tasks for persistence or execution. ‘Scheduled Task/Job (T1053.005)’
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via startup/registry entries. ‘Registry Run Keys / Startup Folder (T1547.001)’
- [T1078] Valid Accounts – Privilege Escalation using valid accounts. ‘Valid Accounts (T1078)’
- [T1562.001] Disable or Modify Tools – Defense evasion by disabling or modifying security tools. ‘Disable or Modify Tools (T1562.001)’
- [T1027.002] Software Packing – Obfuscation/packing of malware to evade detection. ‘Software Packing (T1027.002)’
- [T1055] Process Injection – Injection into processes to hide activity. ‘Process Injection (T1055)’
- [T1070.004] Indicator Removal on Host – Techniques to remove traces from the host. ‘Indicator Removal on Host (T1070.004)’
- [T1112] Modify Registry – Registry modification for persistence or configuration. ‘Modify Registry (T1112)’
- [T1140] Deobfuscate/Decode Files or Information – Deobfuscation/decoding of data/files. ‘Deobfuscate/Decode Files or Information (T1140)’
- [T1497.001] Virtualization/Sandbox Evasion – Evasion via virtualization/sandbox checks. ‘Virtualization/Sandbox Evasion (T1497.001)’
- [T1003] OS Credential Dumping – Credential access via OS credential dumping. ‘OS Credential Dumping (T1003)’
- [T1078] Account Discovery – Discovery of user accounts on systems. ‘Account Discovery (T1078)’
- [T1482] Domain Trust Discovery – Discovering trust relationships within networks. ‘Domain Trust Discovery (T1482)’
- [T1069] Permissions Groups Discovery – Discovering user permission groups. ‘Permissions Groups Discovery (T1069)’
- [T1021] Remote Services – Lateral movement via remote services. ‘Remote Services (T1021)’
- [T1021.001] Remote Desktop Protocol – Use of RDP as a remote service vector. ‘Remote Desktop Protocol (T1021.001)’
- [T1560.001] Archive via Utility – Data collection/collection methods via archiving. ‘Archive via Utility (T1560.001)’
- [T1071.001] Web Protocols – C2/Exfiltration over web protocols. ‘Web Protocols (T1071.001)’
- [T1567.002] Exfiltration to Cloud Storage – Exfiltration to cloud storage services. ‘Exfiltration to Cloud Storage (T1567.002)’
Indicators of Compromise
- [SHA256] – Hashes of NoEscape samples – 68ff9855262b7a9c27e349c5e3bf68b2fc9f9ca32a9d2b844f2265dccd2bc0d8, 9d346518330eeefbf288aeca7b2b6243bc158415c7fee3f2c19694f0e5f7d51c
- [File Extension] – Encrypted file extensions used by the ransomware – .CCBDFHCHFD, .CBCJDHIHBB, .HJDEJBCFI
- [File] – Ransomware-related DLLs referenced/imported by the sample – KERNEL32.dll, SHELL32.dll, CRYPT32.dll
- [File] – Ransom note file name appearing in folders – HOW_TO_RECOVER_FILES.TXT
Read more: https://socradar.io/dark-web-profile-noescape-ransomware/