Threat Research

Ransomware Roundup – NoEscape | FortiGuard Labs

Securonix

FortiGuard Labs’ bi-weekly Ransomware Roundup analyzes NoEscape ransomware, a ransomware‑as‑a‑service group that encrypts and exfiltrates data across Windows, Linux, and ESXi. The operation uses a Tor site and TOX for ransom negotiations and targets multiple sectors including government, energy, and healthcare; Fortinet provides protections and observable indicators to help defenses respond. Hashtags: #NoEscape #Avaddon #Tor #TOX #ESXi #Fortinet

Keypoints

  • NoEscape is a financially motivated ransomware group that operates as a Ransomware-as-a-Service (RaaS) program, active since May 2023.
  • The malware encrypts files on Windows, Linux, and ESXi systems and appends a random 10-character uppercase extension to affected files.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts files on the compromised systems and appends a [random 10-character uppercase alphabet] extension to the affected files. “The ransomware encrypts files on the compromised systems and appends a [random 10-character uppercase alphabet] extension to the affected files.”
  • [T1041] Data Exfiltration – The developer/actor group performs data exfiltration as part of the operation, enabling data theft prior to or during encryption. “such as compromising victims, data exfiltration, and encryptor deployments.”
  • [T1071.001] Web Protocols – Ransomware communications and negotiation occur via Tor and TOX, indicating use of web protocols for command and control/communication. “The ransom note instructs victims to visit a TOR site for further instructions. The actual ransom negotiation takes place on TOX.”
  • [T1562.001] Impair Defenses – The attacker terminates services and processes as part of deploying the encryptor, hindering defenses. “The ransomware encrypts files on the compromised systems and appends a …” (describes termination of services and processes during deployment).

Indicators of Compromise

  • [File hash (SHA-256)] context – Windows version of NoEscape ransomware: 0073414c5a03b20f6f255f400291de67f2a7268c461f90ea6ff0355ca31af07a7, 2020cae5115b6980d6423d59492b99e6aaa945a2230b7379c2f8ae3f54e1efd5, and 16 more hashes
  • [File hash (SHA-256)] context – Linux version of NoEscape ransomware: 10d2b5f7d8966d5baeb06971dd154dc378496f4e5faf6d33e4861cd7a26c91d7, 21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da, and 16 more hashes

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-noescape

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint