HQ/EMEAFind out how we can help your business
A couple of years ago, the Avaddon ransomware group announced its shutdown by disseminating decryption keys for over 3,000 victims. However, researchers suggest that a rebranded version of the group is circulating the cybercriminal landscape after encountering the NoEscape ransomware operation.
Based on reports, the encryptor used by NoEscape is identical to Avaddon’s, with some notable alterations. Moreover, researchers claimed that the operators transitioned to Salsa20 for file encryption instead of the AES algorithm.
NoEscape ransomware borrowed some of its features from Avaddon.
According to investigations, the NoEscape ransomware group has adopted the configuration file and directives utilised by Avaddon.
On the other hand, some researchers believe that NoEscape bought the source code of Avaddon’s encryptor. Hence, some of the latter group members could have transferred to the former.
Regarding the attack chain, the NoEscape ransomware group steals information and encrypts archives on VMWare ESXi, Linux, and Windows servers. In addition, the ransomware group has already listed ten firms on its data leak website from different verticals after its inception.
The threat actors threaten their victims to publicly release their files and data if they do not comply with their request and ransom. The group demands a ransom ranging from hundreds of thousands to over $10 million.
For the group’s encryption details, NoEscape executes commands to remove Windows Shadow Volume Copies and local Windows backup catalogues.
Next, it turns off Windows automatic repair and stops processes linked with security software and backup apps before starting the encryption process. The researchers observed that NoEscape prioritises encrypting files with specific extensions, such as .mdb, .edb, .mdf, .accdb, .mds, .ndf, and .sql.
Finally, the attackers append a 10-character extension, unique for each victim, to the encrypted files and deploy a ransom note that prompts the victims on how to recover their stolen files.
Numerous researchers are keeping track of NoEscape’s activities. Organisations should follow the best cybersecurity hygiene, such as implementing endpoint security solutions and maintaining updated software. Users should also follow the mitigation techniques published by law enforcement agencies to avoid these threats.
